Casper.Dik at Sun.COM wrote: > >>> - but I would like it to keep the same uid as the user >>> (making the role a different uid in the credential) >>> >> So you want Type Enforcement style roles. It's still unclear >> to me how those work with network credentials. >> >> > > If you want to call it that way; but you an easily modify "pfexec" to look > at "getroleuid()" and not "getuid()". > > > The current issues RBAC are that: > > - role's are shared unless you create one for every user who needs > a role (cf. root as a role; not different from root as shared > account, I don't think it's a valid model: if you can't > modify the password because you need to communicate the new > password, it typically won't change at all) > As Darren mentioned, we have had many requests to allow the user's password to be used instead of the role's password when assuming a role. If this were configurable (on a role basis?) that would address the shared password issue. > - it's too easy to add a profile to an ordinary account. > Fine for "Console User/Basic Solaris User" types of profiles; > but not for others. > We could add a type=role key/value to specific prof_attr entries specifying that they can only be assigned to user_attr (or prof_attr) entries containing type=role.
--Glenn
