Chapter 17. Role-Based Access Control
 |
|
Granting superuser access to nonroot users has always been an issue in UNIX systems. In the past, you had to rely on a third-party package, Sudo, to provide this functionality. The problem was that Sudo was an unsupported piece of freeware that had to be downloaded from the Internet and installed onto your system. Also, Sudo is an application and not an integrated facility; thus, it is not as secure. In extreme cases, the system administrator had to set the UID permission bit on the file so that a user could execute the command as root.
With role-based access control (RBAC) in the Solaris 9 operating environment, administrators can assign limited administrative capabilities to nonroot users. RBAC enables you to assign specific tasks, or roles, to specific individuals according to their job needs. The flexibility in setting up roles enables a variety of security policies. There are three suggested roles that are easily configured:
System administrator A less strong role for administration not related to security.
Operator A junior administrator role for operations such as backups, restores, and printer management.
These are only suggested roles within an organization, and your requirements might differ. An organization creates roles according to its security needs. Roles can be set up for special-purpose administrators in such areas as security, networking, or firewall administration. Another approach is to create a single administrator role coupled with an advanced operator role for those users permitted to fix portions of their own systems.