Role-Based Access Control and SMC
The SMC Users tools provide an easy way to administer role-based access control (RBAC). RBAC is a security feature that affords a flexible way to package certain superuser privileges for assignment to user accounts. You no longer need to give users all superuser privileges to enable them to perform a set of tasks that require superuser privileges. With traditional security models, superuser has full superuser privileges and other users do not have enough power to fix their own problems. With RBAC, you now have an alternative to the traditional all-or-nothing security model.
With RBAC, you can divide superuser capabilities into several packages and assign them separately to individuals who share administrative responsibilities. When you separate superuser privileges with RBAC, users can have a variable degree of access and system administrators can control delegation of privileged operations to other users.
RBAC uses rights and roles to control a user's access to superuser capabilities. A right is a group of RBAC authorizations and commands with special attributes. A role is an account with all the attributes of a user account, including a name, user ID (UID), password, and home directory. A role also has a specific set of administrative rights. Instead of a login shell, a role has a role shell (for example, Administrator's Bourne instead of Bourne shell). The root account is a role with all rights, whereas other roles have more limited rights.
You can assign a user account one or more individual rights. You can also add a user account to a role, which grants that user account all the rights associated with a role. Users can have individual rights and can also be assigned to one or more role accounts.