How do I establish privileges for general use There are two different ways of assigning privileges to users. One is by running adminuser to allow the user to run a command with a set of privileges. The other is by establishing a role which assigns a set of privileges to a list of commands, then adding the user to the role. If there is a group of users who all need the same set of commands with privileges, then it is more efficient to use roles. This shows how adminuser is used to assign privileges to a command for a user. 1) To setup privileges using adminuser, as root, first create a new user entry, for example, user "guest": # /usr/bin/adminuser -n guest 2) Add ksh as the command with the desired privileges for the user: # /usr/bin/adminuser -a ksh:/usr/bin/ksh:owner:cpubias:shmbind guest The list of privileges can be found in the intro(2) manual page, beginning on page 12. Notice that the privileges given on the adminrole command line are in lower case and the "P_" is dropped from the privilege name. 3) Now, the user can run tfadmin [cmd] to get the privileges: % /sbin/tfadmin ksh 4) Verify the privileges: % priv max This shows how to use roles to assign privileges to a command for a user. 1) To establish a privilege role, run the adminrole command as root, giving a role name as an argument with the -n flag: # /usr/bin/adminrole -n RT_USERS 2) To add commands with required privileges to the new role: # /usr/bin/adminrole -a ksh:/usr/bin/ksh:owner:dev:setspriv:fpri:tshar:\ plock:setupriv:cpubias:shmbind:userint:rtime RT_USERS To define a role with all privileges: # /usr/bin/adminrole -a ksh:/usr/bin/ksh:allprivs RT_USERS Now, adminuser command adds the user "guest" to the list of those allowed to execute commands under the RT_USERS role. You must first establish the user as a privileged user with a role. 3) To add user "guest" to the RT_USERS role: # /usr/bin/adminuser -n -o RT_USERS guest 4) Now, guest can run the command ksh with privileges by executing: % /sbin/tfadmin RT_USERS: /usr/bin/ksh 5) To verify the privileges, run: % sh -c "priv work" (to show working privileges) or % sh -c "priv max" (to show maximum privileges) OTHER NOTES: Invoking adminrole without options lists all the defined roles and their associated privileges. Likewise, invoking adminuser without options lists all users with their assigned roles. To display a specific user's role and associated commands, invoke "/usr/bin/adminuser ". For more information on adminuser(1M), adminrole(1M), and tfadmin(1M), please refer to the manual pages.