Solaris has had Role Based Access Controls since the Solaris 8 timeframe (circa 2000). With each release, it has been improved with additional profiles and capabilities. In Solaris 11, we took a step further and converted the "root" user in to a role. The goal of these enhanced security features is to ensure that an administrator can perform his assigned functions with the minimum privileges required and reduce the number of personnel required to access the root role. Glenn Faden, security architect for Solaris engineering has blogged about these topics extensively (also see Glenn Brunette's blog).
Here's a simple use case for why you might need to use Solaris profiles and how to use them.
Let's imagine that you are a basic Solaris user, but you have been asked to be the Auditing Administrator. The first thing you might to is check to see if you have permissions to run the auditing tools.
test@solaris11:~$ pfexec auditconfig -getflags
auditon(2) failed.
error: Not owner(1)
test@solaris11:~$ profiles
Basic Solaris User
All
Without the "Audit Configuration" profile, you can't execute this command. Here is what the Audit Configuration profile looks like when you enter profiles -all. It allows you to execute the auditconfig command with the correct authorizations.
Audit Configuration
auths=solaris.smf.value.audit
/usr/sbin/auditconfig privs=sys_audit
You ask the senior administrator to add the Audit configuration profile to your list. Pay close attention to the "+" sign, quote and upper case letters. The "+" sign means to add this profile to your existing profiles. Leave it off and it will replace existing profiles.
sudo usermod -P +"Audit Configuration" test
Now, you can try again. You profile has been updated and the command is successful.
test@solaris11:~$ profiles
Audit Configuration
Basic Solaris User
All
test@solaris11:~$ pfexec auditconfig -getflags
active user default audit flags = ex,xa,ps,ua,as,ss,ap,lo,ft(0x80575080,0x80575080)
configured user default audit flags = ex,xa,ps,ua,as,ss,ap,lo,ft(0x80575080,0x80575080)
Note that the pfexec command is required to execute this command with your profiles in effect. To avoid typing "pfexec" in front of every command, you can simply run pfbash or ask the administrator to make your default shell /usr/bin/pfbash instead of standard bash.
sudo usermod -s /usr/bin/pfbash test
There are many different profiles available in Solaris 11 to include ZFS administration, SMF administration, File system administration and more. Type profiles -all to see the entire list.