The RBAC Databases

Four RBAC databases provide users access to privileged operations.

• /etc/user_attr (extended user attributes database)— Associates users and roles with authorizations and execution profiles.

• /etc/security/auth_attr (authorization attributes database)— Defines authorizations and their attributes and identifies the associated help file.

• /etc/security/prof_attr (execution profile attributes database)— Defines profiles, lists the profile's assigned authorizations, and identifies the associated help file.

• /etc/security/exec_attr (profile execution attributes database)— Defines the privileged operations assigned to a profile.

The user_attr database is the only database that is required. Use of the other databases depends on which security features are implemented.

You can directly assign authorizations and profiles to users in the user_attr database. You can also assign the user to a role to give the user access to any privileged operations associated with that role.

Profiles are defined in the prof_attr database and can include authorizations defined in auth_attr and commands with attributes defined for that profile in exec_attr.

The pfexec(1) command executes commands with the attributes specified by the user profiles in the exec_attr(4) database. Commands that are assigned to profiles are run in special shells called profile shells.

• pfsh corresponds to the Bourne shell (sh).

• pfcsh corresponds to the C shell (csh).

• pfksh corresponds to the Korn (ksh) shell.

See the pfexec(1) manual page for more information.