> Earlier in this thread, I suggested the following change to this part of
> the proposal. For single-user login, you don't really need a new
> authorization. Instead, sulogin could allow single-user access if the
> user authenticates and is allowed to assume the root role. The ability
> to assume the root role conveys the same information you would with the
> solaris.system.maintenance authorization, and it doesn't require the
> administrator to take two separate actions to configure a user with root
> access.
>
> I don't believe the project team has responded, either to accept or
> reject this minor amendment to the proposal.
Since you asked again and I believe the project team is traveling,
I'll answer as part of the RBAC project team. The suggestion
would be mixing metaphores. Authorizations are granted to user
for programs to make access control decisions based on the user's
identity. Roles are user accounts and may or may not have
authorizations.
Additionally the premise of this case is that "root" not be a
role and be able to be configured as a no login account. As such,
it wouldn't be granted. Authorizations are a large name space,
thus nothing is to be gained by not adding an authorization to the
system and allowing it to be granted to specific users.
Gary..
