smrole(1M)
NAME
smrole - manage roles and users in role accounts
SYNOPSIS
/usr/sadm/bin/smrole subcommand [ auth_args] --
[subcommand_args]
DESCRIPTION
The smrole command manages roles and adds or deletes users
in role accounts.
subcommands
smrole subcommands are:
add Adds a new role entry. To add an entry, the adminis-
trator must have the solaris.role.write authorization.
delete
Deletes one or more roles. To delete an entry, the
administrator must have the solaris.role.write author-
ization.
list Lists one or more roles. If you do not specify a role
name, all roles are listed. To list an entry, the
administrator must have the solaris.admin.usermgr.read
authorization.
modify
Adds or deletes users from a role account. To modify
an entry, the administrator must have the
solaris.role.write authorization.
OPTIONS
The smrole authentication arguments, auth_args, are derived
from the smc(1M) arg set and are the same regardless of
which subcommand you use. The smrole command requires the
Solaris Management Console to be initialized for the command
to succeed (see smc(1M)). After rebooting the Solaris
Management Console server, the first Solaris Management Con-
sole connection might time out, so you might need to retry
the command.
The subcommand-specific options, subcommand_args, must come
after the auth_args and must be separated from them by the
-- option.
auth_args
The valid auth_args are -D, -H, -l, -p, -r, and -u; they are
all optional. If no auth_args are specified, certain
defaults will be assumed and the user may be prompted for
additional information, such as a password for authentica-
tion purposes. These letter options can also be specified by
their equivalent option words preceded by a double dash. For
example, you can use either -D or --domain with the domain
argument.
-D | --domain domain
Specifies the default domain that you want to manage.
The syntax of domain is type:/host_name/domain_name,
where type is nis, nisplus, dns, ldap, or file;
host_name is the name of the machine that serves the
domain; and domain_name is the name of the domain you
want to manage. (Note: Do not use nis+ for nisplus.)
If you do not specify this option, the Solaris Manage-
ment Console assumes the file default domain on what-
ever server you choose to manage, meaning that changes
are local to the server. Toolboxes can change the
domain on a tool-by-tool basis; this option specifies
the domain for all other tools.
-H | --hostname host_name:port
Specifies the host_name and port to which you want to
connect. If you do not specify a port, the system con-
nects to the default port, 898. If you do not specify
host_name:port, the Solaris Management Console con-
nects to the local host on port 898. You may still
have to choose a toolbox to load into the console. To
override this behavior, use the smc(1M) -B option, or
set your console preferences to load a "home toolbox"
by default.
-l | --rolepassword role_password
Specifies the password for the role_name. If you
specify a role_name but do not specify a
role_password, the system prompts you to supply a
role_password. Passwords specified on the command line
can be seen by any user on the system, hence this
option is considered insecure.
-p | --password password
Specifies the password for the user_name. If you do
not specify a password, the system prompts you for
one. Passwords specified on the command line can be
seen by any user on the system, hence this option is
considered insecure.
-r | --rolename role_name
Specifies a role name for authentication. If you do
not specify this option, no role is assumed.
-u | --username user_name
Specifies the user name for authentication. If you do
not specify this option, the user identity running the
console process is assumed.
-- This option is required and must always follow the
preceding options. If you do not enter the preceding
options, you must still enter the -- option.
subcommand_args
Note: Descriptions and other arg options that contain white
spaces must be enclosed in double quotes.
o For subcommand add:
-a adduser1 -a adduser2 . . .
(Optional) Specifies the user name(s) to add to
the new role. The administrator must have the
solaris.role.assign authorization.
-c comment
(Optional) Includes a short description of the
role. Consists of a string of up to 256 print-
able characters, excluding the colon (:).
-d dir
(Optional) Specifies the home directory of the
new role, limited to 1024 characters.
-F full_name
(Optional) Specifies the full, descriptive name
of the role. The full_name must be unique within
a domain, and can contain alphanumeric charac-
ters and spaces. If you use spaces, you must
enclose the full_name in double quotes.
-G group1 -G group2 . . .
(Optional) Specifies the new role's supplemen-
tary group membership in the system group data-
base with the character string names of one or
more existing groups. Note: You cannot assign a
primary group to a role. A role's primary group
is always sysadmin (group 14).
-h (Optional) Displays the command's usage state-
ment.
-n rolename
Specifies the name of the role you want to
create.
-p addprof1 -p addprof2 . . .
(Optional) Specifies the profile(s) to add to
the role. To assign a profile to a role, the
administrator must have the
solaris.profmgr.assign or
solaris.profmgr.delegate authorization.
-P password
(Optional) Specifies the role's password. The
password can contain up to eight characters. If
you do not specify a password, the system
prompts you for one. To set the password, the
administrator must have the
solaris.admin.usermgr.pswd authorization. Note:
When you specify a password using the -P option,
you type the password in plain text. Specifying
a password using this method introduces a secu-
rity gap while the command is running. However,
if you do not specify a password (and the system
prompts you for one), the echo is turned off
when you type in the password.
-s shell
(Optional) Specifies the full pathname of the
program used as the role's shell on login. Valid
entries are /bin/pfcsh (C shell), /bin/pfksh
(Korn shell), and /bin/pfsh (Bourne shell), the
default.
-u uid
(Optional) Specifies the ID of the role you want
to add. If you do not specify this option, the
system assigns the next available unique ID
greater than 100.
-x autohome=Y|N
(Optional) Sets the role's home directory. The
home directory path in the password entry is set
to /home/login name.
-x perm=home_perm
(Optional) Sets the permissions on the role's
home directory. perm is interpreted as an octal
number, and the default is 0775.
-x serv=homedir_server
(Optional) If -D is nis, nisplus, or ldap, use
this option to specify the name of the server
where the user's home directory resides. Users
created in a local scope must have their home
directory server created on their local
machines.
o For subcommand delete:
-h (Optional) Displays the command's usage state-
ment.
-n rolename1 -n rolename2 . . .
Specifies the name of the role(s) you want to
delete.
o For subcommand list:
-h (Optional) Displays the command's usage state-
ment.
-l (Optional) Displays the output for each user in
a block of key:value pairs (for example, user
name:root), followed by a blank line that delim-
its each user block. Each key:value pair is
displayed on a separate line. The keys are:
autohome setup, comment, home directory, login
shell, primary group, secondary groups, server,
user ID (UID), and user name.
-n role1 -n role2 . . .
(Optional) Specifies the role(s) that you want
to list. If you do not specify a role name, all
roles are listed.
o For subcommand modify:
-a adduser1 -a adduser2 . . .
(Optional) Specifies the user name(s) to add to
the new role. The administrator must have the
solaris.role.assign authorization, or must have
the solaris.role.delegate authorization and be a
member of the role being modified.
-c comment
(Optional) Includes a short description of the
role. Consists of a string of up to 256 print-
able characters, excluding the colon (:).
-d dir
(Optional) Specifies the home directory of the
new role, limited to 1024 characters.
-F full_name
(Optional) Specifies the full, descriptive name
of the role. The full_name must be unique within
a domain, and can contain alphanumeric charac-
ters and spaces. If you use spaces, you must
enclose the full_name in double quotes.
-G group1 -G group2 . . .
(Optional) Specifies the new role's secondary
group membership in the system group database
with the character string names of one or more
existing groups. Note: You cannot assign a pri-
mary group to a role. A role's primary group is
always sysadmin (group 14).
-h (Optional) Displays the command's usage state-
ment.
-n rolename
Specifies the name of the role you want to
modify.
-N new_rolename
(Optional) Specifies the new name of the role.
-p addprof1 -p addprof2 . . .
(Optional) Specifies the profile(s) to add to
the role. To assign a profile to a role, the
administrator must have the
solaris.profmgr.assign or
solaris.profmgr.delegate authorization.
-P password
(Optional) Specifies the role's password. The
password can contain up to eight characters. To
set the password, the administrator must have
the solaris.admin.usermgr.pswd authorization.
Note: When you specify a password, you type the
password in plain text. Specifying a password
using this method introduces a security gap
while the command is running.
-q delprof1 -q delprof2 . . .
(Optional) Specifies the profile(s) to delete
from the role.
-r deluser1 -r deluser2 . . .
(Optional) Specifies the user name(s) to delete
from the role.
-s shell
(Optional) Specifies the full pathname of the
program used as the role's shell on login. Valid
entries are /bin/pfcsh (C shell), /bin/pfksh
(Korn shell), and /bin/pfsh (Bourne shell), the
default.
-x autohome=Y|N
(Optional) Sets the role's home directory. The
home directory path in the password entry is set
to /home/login_name.
-x perm=home_perm
(Optional) Sets the permissions on the role's
home directory. perm is interpreted as an octal
number, and the default is 0775.
EXAMPLES
Example 1: Creating a role account
The following creates the role1 account with a full name of
Engineering Admin and a password of abc123 on the local file
system, and assigns user1 and user2 to the role. This role
has Name Service Security and Audit Review rights. The sys-
tem assigns the next available unique UID greater than 100.
./smrole add -H myhost -p mypasswd -u root -- -n role1 \
-F "Engineering Admin" -P abc123 -a user1 -a user2 \
-p "Name Service Security" -p "Audit Review"
Example 2: Deleting role accounts
The following deletes the role1 and role2 accounts from the
local file system.
./smrole delete -H myhost -p mypasswd -u root -- -n role1 -n role2
Example 3: Listing role accounts
The following lists all role accounts on the local file sys-
tem in summary form.
./smrole list -H myhost -p mypasswd -u root --
Example 4: Modifying a role account
The following modifies the role1 account so the role
defaults to the Korn shell, includes the user3 account, and
does not include the user2 account.
./smrole modify -H myhost -p mypasswd -u root -- -n role1 \
-s /bin/pfksh -a user3 -r user2
ENVIRONMENT VARIABLES
See environ(5) for a description of the JAVA_HOME environ-
ment variable, which affects the execution of the smrole
command. If this environment variable is not specified, the
/usr/java location is used. See smc(1M).
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 Invalid command syntax. A usage message displays.
2 An error occurred while executing the command. An
error message displays.
FILES
The following files are used by the smrole command:
/etc/aliases
Mail aliases. See aliases(4).
/etc/auto_home
Automatic mount points. See automount(1M).
/etc/group
Group file. See group(4).
/etc/passwd
Password file. See passwd(4).
/etc/security/policy.conf
Configuration file for security policy. See
policy.conf(4).
/etc/shadow
Shadow password file. See shadow(4).
/etc/user_attr
Extended user attribute database. See user_attr(4).
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWmga |
|_____________________________|_____________________________|
SEE ALSO
automount(1M), smc(1M), aliases(4), group(4), passwd(4),
policy.conf(4), shadow(4), user_attr(4), attributes(5),
environ(5)
Man(1) output converted with
man2html