> > In general no projects create roles. Projects create Rights Profiles.
> >
> Thanks for the info. OK, this project will not create any roles then. It
> creates 5 new authorizations and 1 profile. To make it convenient for
> user to run the WUSB admin tool, the project team is considering by
> default grant the newly created profile to an existing user/role in
> Solaris, say "adm" user. One line in /etc/user_attr will be updated as
> following:
> - adm::::profiles=Log Management
> + adm::::profiles=Log Management,WUSB Management
>
> By thus, if users run `su adm`, then they will have the authorizations
> to run wusbadm tool.
> (In the mean while, prof_attr, exec_attr, and auth_attr will also be
> updated.)
>
> Comments are appreciated.
I believe you're confused. I suggest you read
http://opensolaris.org/os/community/arc/bestpractices/rbac-intro/
and its references or find things in docs.sun.com.
You should note explicitely that adm is not a role, nor is it
a login account. It is in user_attr with the Log Management
Rights Profile so logadm works. See 4592815. See logadm.conf
-o option.
> BTW, details of the RBAC model of this project please refer to section 4
> of WUSB design draft doc at:
>
> http://www.opensolaris.org/os/project/wusb/wusb_design.pdf
Perhaps the WUSB project needs to get with their case owner or
intern and schedule some time with the RBAC project for advice.
Gary..
