Gary Winiger wrote: >> Another option is to create a new role, say "wusb". Users who assumed >> the wusb role are allowed to execute the WUSB admin tool and manage the >> wusb service. However, it is not necessary to create a new role if there >> is an existing role which is for general system admin (such as device >> config, service management, etc.) >> >> Any comments are welcomed, thanks. >> > > In general no projects create roles. Projects create Rights Profiles. > Thanks for the info. OK, this project will not create any roles then. It creates 5 new authorizations and 1 profile. To make it convenient for user to run the WUSB admin tool, the project team is considering by default grant the newly created profile to an existing user/role in Solaris, say "adm" user. One line in /etc/user_attr will be updated as following: - adm::::profiles=Log Management + adm::::profiles=Log Management,WUSB Management
By thus, if users run `su adm`, then they will have the authorizations to run wusbadm tool. (In the mean while, prof_attr, exec_attr, and auth_attr will also be updated.) Comments are appreciated. BTW, details of the RBAC model of this project please refer to section 4 of WUSB design draft doc at: http://www.opensolaris.org/os/project/wusb/wusb_design.pdf Thanks, Colin -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080520/17fac908/attachment.html>
