2N/A#

2N/A# CDDL HEADER START

2N/A#

2N/A# The contents of this file are subject to the terms of the

2N/A# Common Development and Distribution License (the "License").

2N/A# You may not use this file except in compliance with the License.

2N/A#

2N/A# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE

2N/A# or http://www.opensolaris.org/os/licensing.

2N/A# See the License for the specific language governing permissions

2N/A# and limitations under the License.

2N/A#

2N/A# When distributing Covered Code, include this CDDL HEADER in each

2N/A# file and include the License file at usr/src/OPENSOLARIS.LICENSE.

2N/A# If applicable, add the following below this CDDL HEADER, with the

2N/A# fields enclosed by brackets "[]" replaced with your own identifying

2N/A# information: Portions Copyright [yyyy] [name of copyright owner]

2N/A#

2N/A# CDDL HEADER END

2N/A#

2N/A

2N/A# Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.

2N/A

2N/A#

2N/A# This file is formated in a very specific way to reduce the risk

2N/A# of accidental mismerging on updates. DO NOT change the formating of

2N/A# individual entries and DO follow the style for new entries.

2N/A#

2N/A# It uses \ continuation to break up what is basically one big long line

2N/A# for each profile.

2N/A#

2N/A# The fields are : separated. The first three fields (and the first three

# colons) should all be on one line that is NOT indented).

# The remainder of the fields should all be indented one tab.

# Each comma separated auths or profile sub entry should be on its own line.

# and each semi-colon separated sub field should be on its own line too.

# For example:

#

# Example Profile:RO::\

# An Example profile:\

# auths=solaris.example.one,\

# solaris.example.two,\

# profiles=Sub Example One,\

# Sub Example Two;\

# help=RtExampleHelp.html

#

All:RO::\

Execute any command as the user or role:\

help=RtAll.html

Administrator Message Edit:RO::\

Update administrator message files:\

auths=solaris.admin.edit/etc/issue,\

solaris.admin.edit/etc/motd;\

help=RtAdminMsg.html

Audit Configuration:RO::\

Configure Solaris Audit:\

auths=solaris.smf.value.audit;\

help=RtAuditCfg.html

Audit Control:RO::\

Control Solaris Audit:\

auths=solaris.smf.manage.audit;\

help=RtAuditCtrl.html

Audit Review:RO::\

Review Solaris Auditing logs:\

help=RtAuditReview.html

Console User:RO::\

Manage System as the Console User:\

profiles=Suspend To RAM,\

Suspend To Disk,\

Brightness,\

CPU Power Management,\

Network Autoconf User;\

auths=solaris.system.shutdown,\

solaris.device.cdrw,\

solaris.device.mount.removable,\

solaris.smf.manage.vbiosd,\

solaris.smf.value.vbiosd;\

help=RtConsUser.html

Contract Observer:RO::\

Reliably observe any/all contract events:\

help=RtContractObserver.html

Device Management:RO::\

Control Access to Removable Media:\

auths=solaris.device.*;\

help=RtDeviceMngmnt.html

Cron Management:RO::\

Manage at and cron jobs:\

auths=solaris.jobs.*,\

solaris.smf.manage.cron;\

help=RtCronMngmnt.html

Printer Management:RO::\

Manage printers, daemons, spooling:\

auths=solaris.print.*;\

help=RtPrntAdmin.html

Log Management:RO::\

Manage log files:\

help=RtLogMngmnt.html

Basic Solaris User:RO::\

Automatically assigned rights:\

auths=solaris.mail.mailq,\

solaris.network.autoconf.read,\

solaris.admin.wusb.read;\

profiles=All;\

help=RtDefault.html

Device Security:RO::\

Manage devices and Volume Manager:\

auths=solaris.device.*,\

solaris.smf.manage.vt,\

solaris.smf.manage.allocate;\

help=RtDeviceSecurity.html

DHCP Management:RO::\

Manage the DHCP service:\

auths=solaris.dhcpmgr.*;\

help=RtDHCPMngmnt.html

Extended Accounting Flow Management:RO::\

Manage the Flow Extended Accounting service:\

auths=solaris.smf.manage.extended-accounting.flow,\

solaris.smf.value.extended-accounting.flow;\

profiles=acctadm;\

help=RtExActtFlow.html

Extended Accounting Process Management:RO::\

Manage the Process Extended Accounting service:\

auths=solaris.smf.manage.extended-accounting.process,\

solaris.smf.value.extended-accounting.process;\

profiles=acctadm;\

help=RtExAcctProcess.html

Extended Accounting Task Management:RO::\

Manage the Task Extended Accounting service:\

auths=solaris.smf.manage.extended-accounting.task,\

solaris.smf.value.extended-accounting.task;\

profiles=acctadm;\

help=RtExAcctTask.html

Extended Accounting Net Management:RO::\

Manage the Net Extended Accounting service:\

auths=solaris.smf.manage.extended-accounting.net,\

solaris.smf.value.extended-accounting.net;\

profiles=acctadm;\

help=RtExActtNet.html

File System Management:RO::\

Manage, mount, share file systems:\

profiles=SMB Management,\

VSCAN Management,\

SMBFS Management,\

Shadow Migration Monitor,\

ZFS File System Management;\

auths=solaris.smf.manage.autofs,\

solaris.smf.manage.shares,\

solaris.smf.manage.group,\

solaris.smf.value.fedfs,\

solaris.smf.read.fedfs;\

help=RtFileSysMngmnt.html

File System Security:RO::\

Manage file system security attributes:\

help=RtFileSysSecurity.html

Forced Privilege:::\

Commands with forced privileges associated with them:\

help=RtReservedProfile.html

HAL Management:RO::\

Manage HAL SMF service:\

auths=solaris.smf.manage.hal;\

help=RtHALMngmnt.html

Hotplug Management:RO::\

Manage Hotplug Connections:\

auths=solaris.smf.manage.hotplug,\

solaris.hotplug.*;\

help=RtHotplugMgmt.html

Idmap Name Mapping Management:RO::\

Manage Name-based Mapping Rules of Identity Mapping Service:\

auths=solaris.admin.idmap.rules;\

help=RtIdmapNameRulesMngmnt.html

Idmap Service Management:RO::\

Manage Identity Mapping Service:\

auths=solaris.smf.manage.idmap,\

solaris.smf.value.idmap;\

help=RtIdmapMngmnt.html

Inetd Management:RO::\

Manage inetd configuration parameters:\

auths=solaris.smf.manage.inetd,\

solaris.smf.value.inetd;\

help=RtInetdMngmnt.html

Mail Management:RO::\

Manage sendmail & queues:\

auths=solaris.smf.manage.sendmail;\

help=RtMailMngmnt.html

Maintenance and Repair:RO::\

Maintain and repair a system:\

auths=solaris.admin.edit/etc/syslog.conf,\

solaris.label.range,\

solaris.smf.manage.coreadm,\

solaris.smf.manage.system-log,\

solaris.smf.value.coreadm,\

solaris.smf.value.power_config,\

solaris.smf.value.power_control,\

solaris.system.maintenance;\

profiles=Hotplug Management;\

help=RtMaintAndRepair.html

Media Backup:RO::\

Backup files and file systems:\

profiles=NDMP Management;\

help=RtMediaBkup.html

Media Catalog:RO::\

Catalog files and file systems:\

help=RtMediaCtlg.html

Media Restore:RO::\

Restore files and file systems from backups:\

auths=solaris.media.extract;\

profiles=NDMP Management;\

help=RtMediaRestore.html

NDMP Management:RO::\

Manage the NDMP service:\

auths=solaris.smf.manage.ndmp,\

solaris.smf.value.ndmp,\

solaris.smf.read.ndmp;\

help=RtNdmpMngmnt.html

Network Autoconf Admin:RO::\

Manage Network Auto-Magic configuration via nwamd:\

profiles=Network Autoconf User,\

Name Service Security;\

auths=solaris.network.autoconf.write,\

solaris.smf.manage.location,\

solaris.smf.modify.application,\

solaris.network.interface.config;\

help=RtNetAutoconfAdmin.html

Network Autoconf User:RO::\

Network Auto-Magic User:\

auths=solaris.network.autoconf.read,\

solaris.network.autoconf.select,\

solaris.network.autoconf.wlan;\

help=RtNetAutoconfUser.html

Network ILB:RO::\

Manage ILB configuration via ilbadm:\

auths=solaris.network.ilb.config,\

solaris.network.ilb.enable;\

help=RtNetILB.html

Network LLDP:RO::\

Manage LLDP agents via lldpadm:\

auths=solaris.network.lldp,\

solaris.smf.manage.lldp;\

help=RtNetLLDP.html

Network VRRP:RO::\

Manage VRRP instances:\

auths=solaris.network.vrrp,\

solaris.smf.manage.vrrp;\

help=RtNetVRRP.html

Network Management:RO::\

Manage the host and network configuration:\

auths=solaris.smf.manage.bind,\

solaris.smf.value.routing,\

solaris.smf.manage.routing,\

solaris.smf.value.nwam,\

solaris.smf.manage.netphys,\

solaris.smf.manage.tnd,\

solaris.smf.manage.tnctl,\

solaris.smf.manage.wpa,\

solaris.smf.value.mdns,\

solaris.smf.manage.mdns,\

solaris.smf.manage.ipmp,\

solaris.smf.manage.ilb,\

solaris.smf.manage.rds,\

solaris.network.interface.config;\

profiles=Name Service Management,\

Network Wifi Management,\

Inetd Management,\

Network LLDP,\

Network VRRP,\

Network Observability,\

Network Autoconf Admin,\

RDS Management;\

help=RtNetMngmnt.html

Network Observability:RO::\

Allow access to observability devices:\

privs=net_observability;\

help=RtNetObservability.html

Network Security:RO::\

Manage network and host security:\

auths=solaris.smf.manage.ssh,\

solaris.smf.value.tnd,\

solaris.smf.value.finger,\

solaris.network.*;\

profiles=Network Wifi Security,\

Network Link Security,\

Network IPsec Management;\

help=RtNetSecure.html

Network Wifi Management:RO::\

Manage wifi network configuration:\

auths=solaris.network.wifi.config;\

help=RtNetWifiMngmnt.html

Network Wifi Security:RO::\

Manage wifi network security:\

auths=solaris.network.wifi.wep;\

help=RtNetWifiSecure.html

Network Link Security:RO::\

Manage network link security:\

auths=solaris.network.link.security;\

help=RtNetLinkSecure.html

Network IPsec Management:RO::\

Manage IPsec and IKE:\

auths=solaris.smf.manage.ipsec,\

solaris.smf.value.ipsec;\

help=RtNetIPsec.html

Name Service Management:RO::\

Manage Naming Services:\

auths=solaris.smf.manage.name-service.*,\

solaris.smf.value.name-service.*,\

solaris.smf.read.name-service.*;\

help=RtNameServiceAdmin.html

Name Service Security:RO::\

Security related Naming Service scripts/commands:\

help=RtNameServiceSecure.html

Object Access Management:RO::\

Change ownership and permission on files:\

help=RtObAccessMngmnt.html

Operator:RO::\

Can perform simple administrative tasks:\

profiles=Printer Management,\

Media Backup;\

help=RtOperator.html

Process Management:RO::\

Manage current processes and processors:\

auths=solaris.smf.manage.cron;\

help=RtProcManagement.html

RDS Management:RO::\

Manage the Reliable Datagram Service:\

auths=solaris.smf.manage.rds;\

help=RtRDSMngmnt.html

Reparse Management:RO::\

Manage the reparse service:\

auths=solaris.smf.manage.reparse;\

help=RtReparseMngmnt.html

Rights Delegation:RO::\

Delegate ability to assign rights to users and roles:\

auths=solaris.auth.delegate,\

solaris.audit.assign,\

solaris.group.delegate,\

solaris.profile.delegate,\

solaris.privilege.delegate;\

help=RtRightsDelegate.html

Rights Management:RO::\

Manage rights profiles and authorizations:\

auths=solaris.profile.manage,\

solaris.profile.cmd.manage,\

solaris.auth.manage;\

help=RightsMngmnt.html

Rmvolmgr Management:RO::\

Manage Removable Volume Manager SMF service:\

auths=solaris.smf.manage.rmvolmgr;\

help=RtRmvolmgrMngmnt.html

Security Extensions Configuration:RO::\

Configure Security Extensions:\

auths=solaris.smf.manage.secext,\

solaris.smf.value.secext;\

help=RtSecExtConfig.html

Service Management:RO::\

Manage services:\

auths=solaris.smf.manage,\

Service Operator:RO::\

Administer services:\

auths=solaris.smf.manage,\

Shadow Migration Monitor:RO::\

Observe progress of shadow migrations:\

help=RtShadowMigrationMonitor.html

Software Installation:RO::\

Add application software to the system:\

profiles=ZFS File System Management;\

help=RtSoftwareInstall.html

Stop:RO::\

Last Profile evaluated, default profiles are not considered:\

help=RtReservedProfile.html

System Administrator:RO::\

Can perform most non-security administrative tasks:\

profiles=Audit Review,\

Extended Accounting Flow Management,\

Extended Accounting Net Management,\

Extended Accounting Process Management,\

Extended Accounting Task Management,\

Printer Management,\

Cron Management,\

Device Management,\

File System Management,\

Log Management,\

Mail Management,\

Maintenance and Repair,\

Media Backup,\

Media Catalog,\

Media Restore,\

Name Service Management,\

Network Management,\

Object Access Management,\

Process Management,\

Project Management,\

RAD Management,\

Service Operator,\

Shadow Migration Monitor,\

Software Installation,\

System Configuration,\

User Management,\

ZFS Storage Management;\

help=RtSysAdmin.html

System Configuration:RO::\

Manage System Configuration:\

auths=solaris.smf.manage.environment,\

solaris.smf.value.environment;\

help=RtSysConf.html

System Event Management:RO::\

Manage system events and system event channels:\

help=RtSysEvMngmnt.html

User Management:RO::\

Manage users and roles, groups, home directory:\

auths=solaris.user.manage,\

solaris.role.manage,\

solaris.group.manage,\

solaris.project.delegate;\

help=RtUserMngmnt.html

User Security:RO::\

Administer user security:\

auths=solaris.role.delegate,\

solaris.profile.delegate,\

solaris.project.delegate,\

solaris.label.range,\

solaris.label.delegate,\

solaris.privilege.delegate,\

solaris.session.setpolicy,\

solaris.auth.delegate,\

solaris.account.setpolicy,\

solaris.account.activate,\

solaris.passwd.assign;\

help=RtUserSecurity.html

FTP Management:RO::\

Manage the FTP server:\

help=RtFTPMngmnt.html

Crypto Management:RO::\

Cryptographic Framework Administration:\

help=RtCryptoMngmnt.html

Kerberos Client Management:RO::\

Maintain and Administer Kerberos excluding the servers:\

help=RtKerberosClntMngmnt.html

Kerberos Server Management:RO::\

Maintain and Administer Kerberos Servers:\

profiles=Kerberos Client Management;\

help=RtKerberosSrvrMngmnt.html

DAT Administration:RO::\

Manage the DAT configuration:\

help=RtDatAdmin.html

SMB Management:RO::\

Manage the SMB service:\

auths=solaris.smf.manage.smb,\

solaris.smf.value.smb,\

solaris.smf.read.smb;\

help=RtSMBMngmnt.html

SMBFS Management:RO::\

Manage the SMB client:\

auths=solaris.smf.manage.smbfs,\

solaris.smf.value,\

solaris.smf.modify.application;\

help=RtSMBFSMngmnt.html

STMF Administration:RO::\

Configure STMF service:\

auths=solaris.smf.modify.application

STMF Management:RO::\

Start/Stop STMF service:\

auths=solaris.smf.manage.stmf

ZFS File System Management:RO::\

Create and Manage ZFS File Systems:\

help=RtZFSFileSysMngmnt.html

ZFS Storage Management:RO::\

Create and Manage ZFS Storage Pools:\

help=RtZFSStorageMngmnt.html

Zone Security:RO::\

Zones Virtual Application Environment Security:\

auths=solaris.zone.*,\

solaris.auth.delegate;\

help=RtZoneSecurity.html

Zone Management:RO::\

Zones Virtual Application Environment Administration:\

help=RtZoneMngmnt.html

IP Filter Management:RO::\

IP Filter Administration:\

help=RtIPFilterMngmnt.html

Project Management:RO::\

Add/Modify/Remove projects:\

help=RtProjManagement.html

VSCAN Management:RO::\

Manage the VSCAN service:\

auths=solaris.smf.manage.vscan,\

solaris.smf.value.vscan,\

solaris.smf.modify.application;\

help=RtVscanMngmnt.html

WUSB Management:RO::\

Manage Wireless USB:\

auths=solaris.admin.wusb.*,\

solaris.smf.manage.wusb;\

help=WUSBmgmt.html

Event Notification Agent Management:RO::\

Manage Event Notification Agents:\

auths=solaris.smf.manage.asr-notify,\

solaris.smf.manage.smtp-notify,\

solaris.smf.manage.snmp-notify,\

solaris.smf.read.asr-notify,\

solaris.smf.value.asr-notify,\

solaris.smf.value.smtp-notify,\

Information Security:RO::\

Maintains MAC and DAC security policies:\

profiles=Device Security,\

File System Security,\

Name Service Security,\

Network Security,\

Object Access Management,\

Object Label Management;\

help=RtInfoSec.html

Object Label Management:RO::\

Change labels on files, networks, zones:\

auths=solaris.device.allocate,\

solaris.label.file.downgrade,\

solaris.label.win.downgrade,\

solaris.label.win.upgrade,\

solaris.label.file.upgrade,\

solaris.label.range,\

solaris.smf.manage.labels,\

solaris.label.zone.manage,\

solaris.label.network.manage;\

help=RtObjectLabelMngmnt.html

Outside Accred:RO::\

Allow a user to operate outside the user accreditation range.:\

auths=solaris.label.range;\

help=RtOutsideAccred.html

RAD Configuration:RO::\

Configure RAD:\

auths=solaris.smf.value.rad;\

help=RtRadConfiguration.html

RAD Management:RO::\

Manage RAD:\

auths=solaris.smf.manage.rad;\

help=RtRadManagement.html

System Power:RO::\

For authorized users to manage system power:\

auths=solaris.system.power.*;\

help=RtSysPowerMgmt.html

Suspend:RO::\

For authorized users to Suspend system:\

auths=solaris.system.power.suspend.*;\

help=RtSysPowerMgmtSuspend.html

Suspend To Disk:RO::\

For authorized users to Suspend to Disk:\

auths=solaris.system.power.suspend.disk;\

help=RtSysPowerMgmtSuspendToDisk.html

Suspend To RAM:RO::\

For authorized users to Suspend to RAM:\

auths=solaris.system.power.suspend.ram;\

help=RtSysPowerMgmtSuspendToRAM.html

Brightness:RO::\

For authorized users to Control LCD Brightness:\

auths=solaris.system.power.brightness;\

help=RtSysPowerMgmtBrightness.html

CPU Power Management:RO::\

For authorized users to manage CPU Power:\

auths=solaris.system.power.cpu;\

help=RtCPUPowerManagement.html

acctadm:RO::\

Do not assign to users. Commands required for Extended Accounting \

Management profiles:\

help=RtAcctadm.help

ISNS Server Management:RO::\

Manage ISNS server:\

auths=solaris.smf.manage.isns,\

solaris.smf.value.isns,\

solaris.isnsmgr.write;\

help=RtISNSMngmnt.html