Authorization Naming and Delegation
An RBAC authorization is a discrete right that can be granted to a
role or a user. Authorizations are checked by RBAC-compliant applications before a user
gets access to the application or specific operations within the application. This check
replaces the tests in conventional UNIX applications for UID=0.
Authorization Naming Conventions
An authorization has a name that is used internally and in files.
For example, solaris.admin.usermgr.pswd is the name of an authorization. An authorization has a short
description, which appears in the graphical user interfaces (GUIs). For example, Change Passwords is
the description of the solaris.admin.usermgr.pswd authorization.
By convention, authorization names consist of the reverse order of the Internet name
of the supplier, the subject area, any subareas, and the function. The parts
of the authorization name are separated by dots. An example would be com.xyzcorp.device.access.
Exceptions to this convention are the authorizations from Sun Microsystems, Inc., which use the
prefix solaris instead of an Internet name. The naming convention enables administrators to
apply authorizations in a hierarchical fashion. A wildcard (*) can represent any strings
to the right of a dot.
Example of Authorization Granularity
As an example of how authorizations are used, consider the following: A user
in the Operator role might be limited to the solaris.admin.usermgr.read authorization, which
provides read but not write access to user configuration files. The System Administrator
role naturally has the solaris.admin.usermgr.read and the solaris.admin.usermgr.write authorizations for making changes to
user files. However, without the solaris.admin.usermgr.pswd authorization, the System Administrator cannot change
passwords. The Primary Administrator has all three of these authorizations.
The solaris.admin.usermgr.pswd authorization is required to make password changes in the Solaris Management
Console User tool. This authorization is also required for using the password modification
options in the smuser, smmultiuser, and smrole commands.
Delegation Authority in Authorizations
An authorization that ends with the suffix grant enables a user or
a role to delegate to other users any assigned authorizations that begin with
the same prefix.
For example, a role with the authorizations solaris.admin.usermgr.grant and solaris.admin.usermgr.read can delegate the
solaris.admin.usermgr.read authorization to another user. A role with the solaris.admin.usermgr.grant and solaris.admin.usermgr.* authorizations
can delegate any of the authorizations with the solaris.admin.usermgr prefix to other users.