> >> Multiple -e and -d options can be specified on
> >> - the command line. Only users with the sys_admin
> >> - privilege can use this option.
> >> + the command line. Only users and roles belonging
> >> + to the "Maintenance and Repair" RBAC profile can
> >> + use this option.
> >
> > Suggest: Only users and roles with the solaris.smf.manage.coreadm and
> > solaris.smf.value.coreadm authorizations can use this option.
>
> When researching the case, I was advised to look at the dladm man
> page. It takes the approach of documenting the necessary profile.
Possibly not architecturally relevant, but clearly a Docs issue
that I've tried to put on the plate for years is just how to
document Rights Profiles and their relationship to auths and
commands.
Sigh, not happened yet.
I believe I suggested look at dladm / use the Rights Profile as
the solution here. The architectural question is where the user
interface is. Is it at the authorization level, or the Rights
Profile level. If it's at the Rights Profile level then the
implementation can be changed without breaking compatibility.
If it's at the authorization level, then that must be maintained.
For example, if a command in a profile today requires
the foo privilege and a later change it requires the foo and
bar privileges, if the Rights Profile is the supported interface
for that command, adding the bar privilege requirement is a
compatible change, while requiring a new privilege may not
be a compatible change.
I'm not suggesting we duke it out in this Fast-Track, but
I am (again) suggesting that the RBAC project team has not
completed the task of defining what is to be documented as
the User/Admin interface.
Gary..
