Implementing Solaris Role-Based Access Control with SMF for IBM Connect:Direct

Implementing role-based access control (RBAC) is optional. After you place under the control of SMF, only the root ID or a user ID with RBAC authorization for SMF is authorized to issue the SMF commands to stop and start IBM® Connect:Direct®. To authorize additional specific user IDs to stop and start IBM Connect:Direct, you must implement basic RBAC to grant authority to the user.

Many solutions exist for setting up RBAC on Solaris. If you frequently add users to or remove users from administration, consider creating role accounts and profiles. For additional RBAC information, see the Solaris System Administration Guide: Basic Administration and Solaris System Administration Guide: Advanced Administration. Consider using the following procedure if you enable only a few users.

  1. Open the file: /etc/security/auth_attr.
  2. Add the following line anywhere in the file:

    solaris.smf.manage.connect-direct:::Manage Connect Direct Service States::

    The corresponding FMRI manifest entry copied to connect-direct.xml eliminates the need to edit the connect-direct.xml manifest file.

  3. As root, type the following command, substituting the user ID you want to authorize for userID:

    usermod -A solaris.smf.manage.connect-direct userID

  4. If this message appears: usermod: ERROR: userID is not a local user, then do the following:

    Open the file: /etc/user_attr.

    Add the following line anywhere in the file, substituting the user ID you want to authorize for userID: userID::::type=normal;auths=solaris.smf.manage.connect-direct

  5. If an entry for your user ID already exists in the /etc/user_attr file, merge the entries. You only merge the auths portion, which is a comma-delimited list of entries found in /etc/security/auth_attr.

The user ID is authorized to control only and can issue commands, including the following:

  • svcadm enable connect-direct
  • svcadm disable connect-direct
  • svcadm refresh connect-direct