> I discovered a bug/annoyance/feature Feature, certainly. Annoyance, perhaps at first (like many parts of SMF), but not a bug. A misunderstand at worst. I actually spend quite a bit of time on this part in my SMF class to avoid the misunderstanding.
> Ok if I wanted to give someone permissions to start and stop say the > name service cache, I thought it would be enough to grant him the > solaris.smf.manage.name-service-cache authorization with: > usermod -A solaris.smf.manage.name-service-cache tst > however as it turns out this does not work: It does. It allows the user with the authorization to start and stop the service. svcadm disable -t and svcadm enable -t work as expected. > tst at live:~$ svcadm disable name-service-cache Enable and disable without the -t will also update the value of the general/enabled property, which is something beyond just starting and stopping the service. If that's what is desired then give them the value_authorization in the general property group. Yes, it will allow them to change other things in the general property group, but there isn't all that much that can happen. But it is limited in scope. Remember there are 3 authorizations you can use for fine grained control. action_authorization (in the general property group) - allows you to run the method value_authorization (in any property group) - allows you to alter any value of a property in the property group. Fits in the general property group nicely along with the action_authorization. And then there's modify_authorization that is a superset of value_authorization. More modification including creation and destruction. See http://blogs.sun.com/bobn/date/20070326 for more examples. Bob
