RBAC
I have gone ahead and set up RBAC rules for some web application admins. It is fairly similar to sudo, the process is as follows:
1. Define the role in /etc/security/prof_attr
Web Admin:::Web Admins:help=RtDefault.html
2. Define the applications that role can run and the uid it runs under in /etc/security/exec_attr:
Web Admin:suser:cmd:::/etc/init.d/apache:euid=0 Web Admin:suser:cmd:::/etc/init.d/coldfusionmx:euid=0 Web Admin:suser:cmd:::/usr/local/apache/bin/apachectl:euid=0 Web Admin:suser:cmd:::/usr/local/apache/bin/htpasswd:euid=0 Web Admin:suser:cmd:::/usr/local/apache/bin/rotatelogs:euid=0 Web Admin:suser:cmd:::/opt/coldfusionmx/bin/cfusion:euid=0 ..
3. Create a role user account:
# useradd -g 14 -d /home/webadm -s /bin/pfksh \ -c "Web Administrative Account" -m webadm
4. Add the role to /etc/user_attr using the name defiled for the profile in #1 above:
webadm::::profiles=Web Admin;type=role
5. Add users to the role:
# usermod -R webadm
