Skip to end of metadata
Go to start of metadata

In SmartOS, Role Based Access Control (RBAC) offers system administrators a wide degree of flexibility and power for managing user access rights. One of the keys to using RBAC is managing access through a Rights profile shell. A Rights profile is a collection of administrative capabilities that system administrators can assign to a role or to a user.

System administrators can define specific commands normally reserved for root access that normal users can run from a specific profile. This eliminates the hazard of distributing root access to normal users who only need to run specific commands that require root access.

In this topic:

In this section:

 

At a Glance

This topic points out the power of using pfexec as a replacement for sudo on a SmartMachine.

Sudo vs. pfexec

One of the main problems with sudo is the lack of privilege awareness. This means for normal users, sudo is an "all or nothing" proposition in terms of granting users access to the entire system. Like sudo, running a pfexec command is done by simply prepending pfexec before the command. The command will execute as if the user has root privileges provided the command is available to the profile shell.

Other advantages/disadvantages of using pfexec vs. using sudo are below.

Advantages of using sudo

  • Cross-platform compatible
  • Support for control of CLI arguments
  • Support for setting per command environment variables

Advantages of using pfexec

  • Offers complete granularity for defining privileges
  • Never have to expose root login credentials to normal users.
  • Taking away root privileges is as easy as removing the profile that grants root privileges from the user's account.
Labels:
smartos smartos Delete
role role Delete
profile profile Delete
rights rights Delete
rbac rbac Delete
privileges privileges Delete
sudo sudo Delete
pfexec pfexec Delete
root root Delete
smartmachine smartmachine Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.