Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
17.  Role-Based Access Control (Overview) RBAC Roles  Previous   Contents   Next 
   
 

RBAC Authorizations

An authorization is a discrete right that can be granted to a role or user. RBAC-compliant applications can check a user's authorizations prior to granting access to the application or specific operations within it. This check replaces the check in conventional UNIX applications for UID=0. For more information on authorizations, see "Authorizations", "The auth_attr Database", and "Commands That Require Authorizations".

RBAC Rights Profiles

A rights profile is a collection of system overrides that can be assigned to a role or user. A rights profile can contain commands with effective or real UIDs or GIDs defined, authorizations, and other rights profiles. Rights profile information is split between the prof_attr and exec_attr databases. For more information on rights profiles, see "Contents of Rights Profiles", "The prof_attr Database", and "The exec_attr Database".

Name Service Scope

Name service scope is an important concept for understanding RBAC. The scope in which a role can operate might apply to an individual host or to all hosts that are served by a name service such as NIS, NIS+, or LDAP. The precedence of local configuration files versus distributed databases is specified in the file /etc/nsswitch.conf. A lookup stops at the first match. For example, if a profile exists in two scopes, only the entries in the first scope are used.

 
 
 
  Previous   Contents   Next