Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
Like this article? We recommend

Like this article? We recommend

Chapter 3: Solaris Management Console Launcher

The Solaris Management Console launcher is a Java™ technology-based console for launching administrative tools. It is a key part of the RBAC implementation in the Solaris 8 environment, version 1/01.

However, the operation of the launcher and tools is beyond the scope of this article. For more information, refer to the Solaris Management Console online help.

The Solaris Management Console tool suite interoperates with RBAC in four ways:

  • Provides an interface for assuming roles and indicates role assumed in the tool windows

  • Manages the elements of the RBAC infrastructure

  • Restricts access to Solaris Management Console tools based on authorizations within the scope of the current server

  • Executes legacy applications with security attributes

Main Window

When the launcher is first invoked, the main console window is displayed (Figure 5). At this point, there are no tools loaded and the default toolbox (This Computer) is displayed in the navigation pane.

The scope of a tool is specified in the tool box. It is either files, nis, nisplus, or ldap. Each of these is further qualified by the server name and domain.

Each toolbox has a defined scope of operation, that is, it can be set to use the RBAC databases on the local host or from the name service. The scope attributes govern the behavior of that toolbox and specify which users or roles are permitted to use it. In some cases, it may be useful to set up multiple toolboxes with different characteristics for different scopes.

Figure 5 Initial State of the Main Solaris Management Console Window.

This Computer operates on a local scope. It includes the following categories (folders) and tools, by default:

  • System Status: Processes, Log Viewer

  • System Configuration: Users

  • Services: Scheduled Jobs, Solaris Management Console Server

  • Storage: Mounts and Shares, Disks

  • Devices and Hardware: Serial Ports

The next step is to select the toolbox that contains the appropriate tools and scope of operation. This can be accomplished by choosing New Console or Open Toolbox from the Console menu to select a different set of tools. Otherwise, simply double-click the tool or collection within the This Computer toolbox. RBAC management is handled by tools in the User Collection (Figure 4).

Assuming a Role through the Solaris Management Console Interface

Double-clicking a tool or collection displays a login dialog box for the user to be authenticated. If any roles are assigned to the user, a second login dialog box with a role option menu for assuming roles is displayed. The user should then assume the role with the capabilities appropriate to the tasks to be performed.

Managing RBAC Elements

The RBAC elements are managed by the following tools in the Solaris Management Console User Tool collection (Figure 6):

  • User Accounts tool

  • Administrative Roles tool

  • Rights tool

Double-clicking a tool icon launches the tool and displays the data icons for that tool in the view pane at the right of the window.

Figure 6 Solaris Management Console User Collection.

User Accounts Tool

The User Accounts tool manages the rights profiles and roles assigned to a specific user (in addition to nonRBAC user data). Double-clicking a user icon displays the User Properties dialog box, for viewing or changing the current user's data. Figure 7 shows the User Properties dialog box with the Rights tab selected.

Rights profiles in the Available column on the left can be assigned to the current user; rights profiles in the Granted column on the right are already assigned to the user. The Add and Remove buttons are for switching rights profiles between columns. The Move Up and Move Down buttons change the order of the assigned rights profiles. As mentioned previously, the order of assignment determines which security attributes assigned to a duplicated command will take precedence.

The Roles tab operates in similar fashion for viewing or changing the roles assigned to the user.

Figure 7 Assigning Rights Profiles in the User Properties Dialog Box.

Administrative Roles Tool

The Administrative Roles tool is for defining a role and assigning users to the role. The properties dialog box for the Administrative Roles tool is similar to the User Tool version except for these minor differences:

  • The Password Options, Mail, and Roles tabs in the User Tool are not available in the Roles Tool, because they are not applicable to roles.

  • The Users tab in the Roles Tool provides a convenient means of assigning the role to users.

  • The General tab for roles properties permits a profile shell (referred to as role shell in the GUI) to be selected for the role (Figure 8).

Figure 8 Administrative Roles Tool Properties Dialog Box.

Rights Profile Tool

The Rights Profile tool is for building or modifying rights profiles, using commands with security attributes, authorizations, and supplementary rights profiles. Figure 9 shows how authorizations are assigned. Note that the authorizations are grouped to indicate their hierarchy.

Figure 9 Assigning Authorizations in Rights Tool.

Assignments of commands with security attributes are made in the Commands tab of the Rights tool. To add security attributes to a command, move the command to the Commands Permitted column, select it, and click the Set Security Attributes button at the bottom of the column. This displays a dialog box for choosing administrative user or group, and real or effective ID.

How Authorizations Restrict Solaris Management Console Operations

A site can use authorizations to control which roles can perform which tasks. Table 8 shows examples of how authorizations are required for specific operations.

Table 8

Tool

Dialog Box

Task (Required Authorizations)

User

Properties

View users (solaris.admin.usermgr.read)

Edit users (solaris.admin.usermgr.write)

Assign rights (solaris.admin.profmgr.assign)

Delegate rights (solaris.profmgr.delegate)

Assign roles (solaris.role.assign)

Delegate roles (solaris.role.delegate)

Change password (solaris.admin.usermgr.pswd)

Administrative Roles

Properties

View roles (solaris.admin.usermgr.read)

Edit roles (solaris.role.write)

Assign roles (solaris.role.assign)

Delegate roles (solaris.role.delegate)

Delegate rights (solaris.profmgr.delegate)

Administrative Roles

Add Role Wizard

Edit roles (solaris.role.write)

Assign roles (solaris.role.assign)

Administrative Roles

Assign Role

Assign roles (solaris.role.assign)

Delegate roles (solaris.role.delegate)

Right

Rights Properties

View rights (solaris.admin.profmgr.read)

Edit Rights (solaris.admin.profmgr.write)

Delegate rights (solaris.profmgr.delegate)

Rights

Add Right

Edit rights (solaris.profmgr.write)


Securing Legacy Applications

In addition to the default Solaris Management Console toolboxes, other tools and toolboxes can be made available to users. Custom tools can be JavaBeans™ applications that have been developed specifically for the Solaris Management Console launcher, other Java™ applications, or legacy applications. (The term legacy application refers to Solaris and Trusted Solaris applications that are not written specifically for the Solaris Management Console launcher.)

Sites are free to add their own Java and legacy applications to be accessed through the launcher. These applications can be restricted to specific roles. The Solaris Management Console interface automatically sets up X11 tools with the proper environment for remote display. Command-line applications can be started from the Solaris Management Console window. An additional terminal window is started for them automatically.

  • + Share This
  • 🔖 Save To Your Account