On 09/30/08 14:21, James Carlson wrote: > John Sonnenschein writes: >> putting it in a separate package sufficient, or would an /etc/chsh.deny >> file be the preferred method? > > Neither. I think this ought to be an authorization that can be > granted or revoked. Something like: > > solaris.admin.usermgr.shell > solaris.admin.usermgr.gecos
I would propose a different subsection here instead of solaris.admin.usermgr, to do with modifying your own data: the ability to change all other (shell/gecos) fields should be separate from being able to modify your own. Even or especially an admin might need to be stopped from modifying his/her own data, so that two person rule control can be set up. Bart
