roleadd(1M)




NAME

     roleadd - administer a new role account on the system


SYNOPSIS

     roleadd [-c comment] [-d dir] [-e expire]  [-f inactive]  [-
     g group]  [  -G group  [  , group...]] [ -m [-k skel_dir]] [
     -u uid  [-o]]  [-s shell]  [-A  authorization   [,authoriza-
     tion...]] role

     roleadd  -D  [-b base_dir]  [-e expire]   [-f inactive]   [-
     g group] [-A authorization  [,authorization...]] [-P profile
     [,profile...]]


DESCRIPTION

     roleadd adds a role entry to the /etc/passwd and /etc/shadow
     and /etc/user_attr files. The -A and -P options respectively
     assign authorizations and profiles to the role. Roles cannot
     be assigned to other roles.

     roleadd also creates supplementary group memberships for the
     role  (-G option) and creates the home directory (-m option)
     for the role if requested.  The  new  role  account  remains
     locked until the passwd(1) command is executed.

     Specifying roleadd -D with the -g, -b, -f, or -e option  (or
     any combination of these option) sets the default values for
     the respective fields. See the -D option. Subsequent roleadd
     commands without the -D option use these arguments.

     The system file entries created with  this  command  have  a
     limit  of 512 characters per line. Specifying long arguments
     to several options can exceed this limit.

     The role (role) field accepts a string of no more than eight
     bytes  consisting  of  characters from the set of alphabetic
     characters, numeric characters, period (.), underscore  (_),
     and hyphen (-). The first character should be alphabetic and
     the field should contain at least one lower case  alphabetic
     character.  A  warning message will be written if these res-
     trictions are not met. A future Solaris release  may  refuse
     to accept role fields that do not meet these requirements.

     The role field must contain at least one character and  must
     not contain a colon (:) or a newline (\n).


OPTIONS

     The following options are supported:

     -A authorization
           One or more comma separated authorizations defined  in
           auth_attr(4).   Only  a  user  or  role  who has grant
           rights to  the  authorization  can  assign  it  to  an
           account

     -b base_dir
           The default base directory for the system if -d dir is
           not  specified.  base_dir  is  concatenated  with  the
           account name to define the home directory. If  the  -m
           option is not used, base_dir must exist.

     -c comment
           Any text string. It is generally a  short  description
           of  the role. This information is stored in the role's
           /etc/passwd entry.

     -d dir
           The home directory of the new  role.  It  defaults  to
           base_dir/account_name,  where  base_dir  is  the  base
           directory  for  new   login   home   directories   and
           account_name is the new role name.

     -D    Display  the  default  values  for  group,   base_dir,
           skel_dir, shell, inactive, and expire.  When used with
           the -g, -b, or -f, options, the  -D  option  sets  the
           default  values  for the specified fields. The default
           values are:

           group other (GID of 1)

           base_dir
                 /home

           skel_dir
                 /etc/skel

           shell /bin/sh

           inactive
                 0

           expire
                 Null

           auths Null

           profiles
                 Null

     -e expire
           Specify the expiration date for  a  role.  After  this
           date,  no  user  will be able to access this role. The
           expire option argument is a date entered using one  of
           the   date  formats  included  in  the  template  file
           /etc/datemsk. See getdate(3C).

           If the date format that you choose includes spaces, it
           must  be quoted. For example, you can enter 10/6/90 or
           "October 6, 1990". A null  value  ("  ")  defeats  the
           status  of the expired date. This option is useful for
           creating temporary roles.

     -f inactive
           The maximum number of days allowed between uses  of  a
           role  ID  before  that  ID is declared invalid. Normal
           values are positive integers. A value  of   0  defeats
           the status.

     -g group
           An existing group's  integer  ID  or  character-string
           name. Without the -D option, it defines the new role's
           primary group membership and defaults to  the  default
           group.  You  can  reset this default value by invoking
           roleadd -D -g group.

     -G group
           An existing group's  integer  ID  or  character-string
           name.  It  defines  the new role's supplementary group
           membership. Duplicates between group with the  -g  and
           -G  options  are  ignored.  No  more  than NGROUPS_MAX
           groups can be specified.

     -k skel_dir
           A directory that contains skeleton  information  (such
           as .profile) that can be copied into a new role's home
           directory. This directory must already exist. The sys-
           tem  provides the /etc/skel directory that can be used
           for this purpose.

     -m    Create the new role's home directory if  it  does  not
           already  exist.  If  the  directory already exists, it
           must have read,  write,  and  execute  permissions  by
           group, where group is the role's primary group.

     -o    This option  allows  a  UID  to  be  duplicated  (non-
           unique).

     -P profile
           One or more comma-separated execution profiles defined
           in prof_attr(4).

     -s shell
           Full pathname of the program used as the user's  shell
           on  login.  It  defaults to an empty field causing the
           system to use /bin/sh as the  default.  The  value  of
           shell must be a valid executable file.

     -u uid
           The UID of the new role.  This  UID  must  be  a  non-
           negative  decimal  integer  below MAXUID as defined in
           <sys/param.h>.  The UID defaults to the next available
           (unique)  number  above  the  highest number currently
           assigned. For example, if UIDs 100, 105, and  200  are
           assigned,  the  next  default  UID number will be 201.
           (UIDs from 0-99  are  reserved  for  possible  use  in
           future applications.)


FILES

     /etc/datemsk

     /etc/passwd

     /etc/shadow

     /etc/group

     /etc/skel

     /usr/include/limits.h

     /etc/user_attr


ATTRIBUTES

     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWcsu                     |
    |_____________________________|_____________________________|


SEE ALSO

     passwd(1)profiles(1)roles(1),    users(1B),    groupadd(1M),
     groupdel(1M), groupmod(1M), grpck(1M), logins(1M), pwck(1M),
     userdel(1M),   usermod(1M),    getdate(3C),    auth_attr(4),
     passwd(4), prof_attr(4), user_attr(4), attributes(5)


DIAGNOSTICS

     In case of an error, roleadd prints  an  error  message  and
     exits with a non-zero status.

     The following indicates that login specified is  already  in
     use:

     UX: roleadd: ERROR: login is already in use. Choose another.

     The following indicates that the uid specified with  the  -u
     option is not unique:

     UX: roleadd: ERROR: uid uid is already in use. Choose another.

     The following indicates that the group specified with the -g
     option is already in use:

     UX: roleadd: ERROR: group group does not exist. Choose another.

     The following indicates that the uid specified with  the  -u
     option is in the range of reserved UIDs (from 0-99):

     UX: roleadd: WARNING: uid uid is reserved.

     The following indicates that the uid specified with  the  -u
     option exceeds MAXUID as defined in <sys/param.h>:

     UX: roleadd: ERROR: uid uid is too big. Choose another.

     The following indicates that the /etc/passwd or  /etc/shadow
     files do not exist:

     UX: roleadd: ERROR: Cannot update system files - login cannot be created.


NOTES

     If a network nameservice such as NIS or NIS+ is  being  used
     to  supplement  the  local  /etc/passwd file with additional
     entries, roleadd cannot change information supplied  by  the
     network nameservice.


Man(1) output converted with man2html