smprofile(1M)
NAME
smprofile - manage profiles in the prof_attr and exec_attr
databases
SYNOPSIS
/usr/sadm/bin/smprofile subcommand [ auth_args] --
[subcommand_args]
DESCRIPTION
The smprofile command manages one or more profiles in the
prof_attr(4) or exec_attr(4) databases in the local /etc
files name service or a NIS or NIS+ name service.
subcommands
smprofile subcommands are:
add Adds a new profile (right) to the prof_attr(4) data-
base. To add a profile, the administrator must have
the solaris.profmgr.write authorization.
delete
Deletes a profile from the prof_attr(4) database,
deletes all associated entries from the exec_attr(4)
database, and deletes the assigned profile from the
user_attr(4) database. To delete a profile, the
administrator must have the
solaris.profmgr.execattr.write and
solaris.profmgr.write authorization.
list Lists one or more profiles from the prof_attr(4) or
exec_attr(4) databases. To list a profile, the
administrator must have the solaris.profmgr.read
authorization.
modify
Modifies a profile in the prof_attr(4) database. To
modify a profile, the administrator must have the
solaris.profmgr.write authorization.
OPTIONS
The smprofile authentication arguments, auth_args, are
derived from the smc(1M) arg set and are the same regardless
of which subcommand you use. The smprofile command requires
the Solaris Management Console to be initialized for the
command to succeed (see smc(1M)). After rebooting the
Solaris Management Console server, the first Solaris Manage-
ment Console connection might time out, so you might need to
retry the command.
The subcommand-specific options, subcommand_args, must come
after the auth_args and must be separated from them by the
-- option.
auth_args
The valid auth_args are -D, -H, -l, -p, -r, and -u; they are
all optional. If no auth_args are specified, certain
defaults will be assumed and the user may be prompted for
additional information, such as a password for authentica-
tion purposes. These letter options can also be specified by
their equivalent option words preceded by a double dash. For
example, you can use either -D or --domain with the domain
argument.
-D | --domain domain
Specifies the default domain that you want to manage.
The syntax of domain is type:/host_name/domain_name,
where type is nis, nisplus, dns, ldap, or file;
host_name is the name of the machine that serves the
domain; and domain_name is the name of the domain you
want to manage. (Note: Do not use nis+ for nisplus.)
If you do not specify this option, the Solaris Manage-
ment Console assumes the file default domain on what-
ever server you choose to manage, meaning that changes
are local to the server. Toolboxes can change the
domain on a tool-by-tool basis; this option specifies
the domain for all other tools.
-H | --hostname host_name:port
Specifies the host_name and port to which you want to
connect. If you do not specify a port, the system con-
nects to the default port, 898. If you do not specify
host_name:port, the Solaris Management Console con-
nects to the local host on port 898. You may still
have to choose a toolbox to load into the console. To
override this behavior, use the smc(1M) -B option, or
set your console preferences to load a "home toolbox"
by default.
-l | --rolepassword role_password
Specifies the password for the role_name. If you
specify a role_name but do not specify a
role_password, the system prompts you to supply a
role_password. Passwords specified on the command line
can be seen by any user on the system, hence this
option is considered insecure.
-p | --password password
Specifies the password for the user_name. If you do
not specify a password, the system prompts you for
one. Passwords specified on the command line can be
seen by any user on the system, hence this option is
considered insecure.
-r | --rolename role_name
Specifies a role name for authentication. If you do
not specify this option, no role is assumed.
-u | --username user_name
Specifies the user name for authentication. If you do
not specify this option, the user identity running the
console process is assumed.
-- This option is required and must always follow the
preceding options. If you do not enter the preceding
options, you must still enter the -- option.
subcommand_args
Note: Descriptions and other arg options that contain white
spaces must be enclosed in double quotes.
o For subcommand add:
-a addauth1 -a addauth2 . . .
(Optional) Specifies the authorization name(s)
to add to the new profile. The administrator
must have the solaris.profmgr.write authoriza-
tion and must have the corresponding "grant"
authorization. A "grant" authorization is one in
which the lowest component of the authorization
name is replaced by the word grant. For example,
to grant some profile the solaris.role.write
authorization, the administrator needs that
authorization and also the solaris.role.grant
authorization. For more information on granting
authorizations, see auth_attr(4).
-d description
Specifies the description of the new profile.
-h (Optional) Displays the command's usage state-
ment.
-m html_help
Specifies the HTML help file name for the new
profile. The help file name must be put in the
/usr/lib/help/profiles/locale/C directory.
-n name
Specifies the name of the new profile.
-p addprof1 -p addprof2 . . .
(Optional) Specifies the supplementary profile
name(s) to add to the new profile.
o For subcommand delete:
-h (Optional) Displays the command's usage state-
ment.
-n name
Specifies the name of the profile you want to
delete.
o For subcommand list:
-h (Optional) Displays the command's usage state-
ment.
-l (Optional) Displays the detailed output for each
profile in a block of key:value pairs, followed
by a blank line that delimits each profile
block. Each key:value pair is displayed on a
separate line. All the attributes associated
with a profile from the prof_attr and exec_attr
databases are displayed. If you do not specify
this option, only the specified profile name(s)
and associated profile description(s) are
displayed.
-n name1 -n name2 . . .
(Optional) Specifies the profile(s) that you
want to display. If you do not specify a profile
name, all profiles are displayed.
o For subcommand modify:
-a addauth1 -a addauth2 . . .
(Optional) Specifies the authorization name(s)
to add to the profile. The administrator must
currently have been granted each of the speci-
fied authorizations and must have the ability to
grant each of those authorizations to other
users or roles. For more information on granting
authorizations, see auth_attr(4).
-d description
(Optional) Specifies the new description of the
profile.
-h (Optional) Displays the command's usage state-
ment.
-m html_help
(Optional) Specifies the new HTML help file name
of the profile. If you change this name, you
must accordingly rename the help file name
entered in the /usr/lib/help/profiles/locale/C
directory.
-n name
Specifies the name of the profile you want to
modify.
-p addprof1 -p addprof2 . . .
(Optional) Specifies the supplementary profile
name(s) to add to the profile. The administrator
must have the solaris.profmgr.assign authoriza-
tion to add any profile and the
solaris.profmgr.delegate authorization to add
any profile that has been assigned to the
authenticated user.
-q delprof1 -q delprof2 . . .
(Optional) Specifies the supplementary profile
name(s) to delete from the profile. The adminis-
trator must have the solaris.profmgr.assign
authorization to delete any profile and the
solaris.profmgr.delegate authorization to delete
any profile that has been assigned to the
authenticated user.
-r delauth1 -r delauth2 . . .
(Optional) Specifies the authorization name(s)
to delete from the profile. The administrator
must have the solaris.profmgr.write authoriza-
tion and must have the corresponding "grant"
authorization. For more information about
"grant" authorizations, see the -a option
description for the add subcommand above.
EXAMPLES
Example 1: Creating a new profile
The following creates a new User Manager profile on the
local file system. The new profile description is Manage
users and groups, and the authorizations assigned are
solaris.admin.usermgr.write and solaris.admin.usermgr.read.
The supplementary profile assigned is Operator. The help
file name is RtUserMgmt.html.
./smprofile add -H myhost -p mypasswd -u root -- -n "User Manager" \
-d "Manage users and groups" -a solaris.admin.usermgr.write \
-a solaris.admin.usermgr.read -p Operator -m RtUserMgmt.html
Example 2: Deleting a profile
The following deletes the User Manager profile from the
local file system:
./smprofile delete -H myhost -p mypasswd -u root -- -n "User Manager"
Example 3: Listing all profiles
The following lists all profiles and their associated pro-
file descriptions on the local file system.
./smprofile list -H myhost -p mypasswd -u root --
Example 4: Modifying a profile
The following modifies the User Manager profile on the local
file system. The new profile description is Manage world,
the new authorization assignment is solaris.admin.usermgr.*
authorizations, and the new supplementary profile assignment
is All. (The -a option argument must be enclosed in double
quotes when the wildcard character (*) is used.)
./smprofile modify -H myhost -p mypasswd -u root -- -n "User Manager" \
-d "Manage world" -a "solaris.admin.usermgr.*" -p All
ENVIRONMENT VARIABLES
See environ(5) for a description of the JAVA_HOME environ-
ment variable, which affects the execution of the smprofile
command. If this environment variable is not specified, the
/usr/java location is used. See smc(1M).
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 Invalid command syntax. A usage message displays.
2 An error occurred while executing the command. An
error message displays.
FILES
The following files are used by the smprofile command:
/etc/security/exec_attr
Execution profiles database. See exec_attr(4).
/etc/security/prof_attr
Profile description database. See prof_attr(4).
/etc/user_attr
Extended user attribute database. See user_attr(4).
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWmga |
|_____________________________|_____________________________|
SEE ALSO
smc(1M), auth_attr(4), exec_attr(4), prof_attr(4),
user_attr(4), attributes(5), environ(5)
Man(1) output converted with
man2html