Role-Based Access Control

A powerful type of access control, called role-based access control (RBAC), is provided by Solaris. RBAC can provide a high level of security on systems and networks where users are restricted in their capabilities. RBAC is based on the principle of least privilege, which means that a user is granted only the privileges necessary to perform those jobs this user needs to perform. Ordinary users on a system require sufficient privilege to do tasks of a user rather than an administrator, such as running applications, creating and editing files, printing files, and so on. Capabilities beyond those of ordinary users, including administrative tasks, such as adding new users, scheduling tasks, adding or removing devices, managing printers, and so on, are grouped into rights profiles. When a user must perform a task that requires some of the capabilities of the superuser, this user assumes a role that requires the use of capabilities in the appropriate rights profile. Solaris comes with three default rights profiles; the rules and the assignment of profiles are left to the owner of the system. The three default rights profiles are: Primary Administrator, granted the capabilities of superuser; System Administrator, granted the capabilities required for system administration not related to security; and Operator, granted the capabilities required for basic administrative tasks, such as system backups, device management, and printer management.

In UNIX systems, the capabilities of the superuser, or root, are not limited. The superuser can read and write to any file, run all programs, and send signals to every process, including the kill signal. Furthermore, setuid programs, which have all the privileges of root, can do anything the superuser can. So, anybody or any program that can become superuser can cause havoc on a system or a network. For instance, this person or program could read private files, modify a firewall, change an audit trail, and even shut down a network.

Role-based access controls support a fine-grained enforcement of a security policy, whereas the superuser model offers only an all-or-nothing approach. The rights profiles that contain particular subsets of the capabilities of root are assigned to special user accounts called roles. When a user needs to carry out a job, that user is allowed to assume a particular role, granting all the capabilities required to do that job. Rights profiles can be broadly defined to fit the needs of users who perform a wide variety of tasks. For example, one of the default rights profiles is that of the Primary Administrator, who has all the capabilities of a superuser on a traditional UNIX host. But rights profiles can also be narrowly defined. For instance, we can specify that the Cron Management rights profile has the capabilities of managing at and cron jobs.

Once rights profiles have been defined, the roles can be created by the superuser. Next, the superuser assigns each role to the user or users trusted to do the tasks of that role. Once a user logs in, that user can assume any of the roles granted to that user and can run restricted administrative commands, as well as restricted GUIs for administrative tasks.

How roles are defined is a function of the security needs of an organization. For instance, roles can be established for security administrators, network administrators, firewall and proxy administration, printer management, and so on. Another commonly defined role is the role of advanced user. This role is for users who should be able to administer portions of their own computers.

For more information about RBAC, including the concepts behind, the Solaris implementations, and information about how to implement and use RBAC in Solaris, see the Solaris documentation on RBAC, which can be reached by first going to http://docs.sun.com/app/docs/, or Solaris 10: The Complete Reference by Paul Watters.