'\" te
.\" Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.
.TH auths 1 "10 Mar 2015" "SunOS 5.11" "User Commands"
.SH NAME
auths \- manage and list authorizations
.SH SYNOPSIS
.LP
.nf
\fBauths\fR [\fIuser\fR]...
.fi

.LP
.nf
\fBauths\fR \fBlist\fR [\fB-S\fR \fIrepository\fR] [\fB-vx\fR] [\fB-u\fR \fIuser\fR]
.fi

.LP
.nf
\fBauths\fR \fBinfo\fR [\fB-S\fR \fIrepository\fR] [\fB-v\fR] [\fIauthorization\fR]
.fi

.LP
.nf
\fBauths\fR \fBcheck\fR [\fB-u\fR \fIuser\fR] \fIauthorization\fR
.fi

.LP
.nf
\fBauths\fR \fBadd\fR [\fB-S\fR \fIrepository\fR] \fB-t\fR \fIdescription\fR 
     [\fB-h\fR \fIhelp_file_path\fR] \fIauthorization\fR
.fi

.LP
.nf
\fBauths\fR \fBmodify\fR [\fB-S\fR \fIrepository\fR] [\fB-t\fR \fIdescription\fR]
     [\fB-h\fR \fIhelp_file_path\fR] \fIauthorization\fR
.fi

.LP
.nf
\fBauths\fR \fBremove\fR [\fB-S\fR \fIrepository\fR] \fIauthorization\fR
.fi

.SH DESCRIPTION
.sp
.LP
The \fBauths\fR command prints on standard output the authorizations that you or the optionally-specified user or role have been granted. Authorizations are rights that are checked by certain privileged programs to determine whether a user may execute restricted functionality.
.sp
.LP
The command also creates and modifies an authorization and its properties in the \fBauth_attr\fR(4) database in the local files name service or LDAP name service. The \fBauths\fR command also prints on standard output the authorizations that you or the optionally specified user or role have been granted.
.sp
.LP
An administrator must be granted the Rights Management Profile to be able to manage the authorizations in the \fBauth_attr\fR(4) database with the add, modify, or remove subcommands.
.sp
.LP
Each user may have zero or more authorizations. Authorizations are represented by fully-qualified names, which identify the organization that created the authorization and the functionality that it controls. Following the Java convention, the hierarchical components of an authorization are separated by dots (\fB\&.\fR), starting with the reverse order Internet domain name of the creating organization, and ending with the specific function within a class of authorizations. Authorizations cannot end with a dot (\fB\&.\fR.)
.sp
.LP
An asterisk (\fB*\fR) indicates all authorizations in a class.
.sp
.LP
A user's authorizations are looked up in \fBuser_attr\fR(4) and in the \fB/etc/security/policy.conf\fR file (see \fBpolicy.conf\fR(4)). Authorizations may be specified directly in \fBuser_attr\fR(4) or indirectly through \fBprof_attr\fR(4). Authorizations may also be assigned to every user in the system directly as default authorizations or indirectly as default profiles in the \fB/etc/security/policy.conf\fR file.
.sp
.LP
For each user, there are two sets of profiles, an authenticated set, and an unauthenticated set. Authorizations in the authenticated set are always effective, but those in the unauthenticated set only become effective after a successful response to an authentication challenge. Such challenges are automatically issued when the user executes a command matching an entry in the authenticated profiles set. See \fBpfexec\fR(1).
.SS "Subcommands"
.sp
.ne 2
.mk
.na
\fB\fBadd [-S \fIrepository\fR] -t \fIdescription\fR [-h \fIhelp_file_path\fR] \fIauthorization\fR\fR\fR
.ad
.sp .6
.RS 4n
Create the specified authorization (\fIauthorization\fR) in the specified name-service repository (\fIrepository\fR). 
.sp
If no repository option is specified, the authorization is created in the file's name-service.
.RE

.sp
.ne 2
.mk
.na
\fB\fBcheck [-u \fIuser\fR] \fIauthorization\fR\fR\fR
.ad
.sp .6
.RS 4n
Check if the specified authorization (\fIauthorization\fR) has been granted to the specified username (\fIuser\fR) or the current user. 
.sp
If the user has the proper authorization, \fBauths\fR exits with exit code \fB0\fR. Otherwise, it returns with exit code greater than \fB1\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBinfo [-S \fIrepository\fR] [-v] [\fIauthorization\fR]\fR\fR
.ad
.sp .6
.RS 4n
Check if the specified authorization (\fIauthorization\fR) is present in the specified name-service repository (\fIrepository\fR) or looks up based on \fBnsswitch.conf\fR(4)nsswitch.conf(4). If the specified authorization is present, it is listed and the \fBauths\fR exits with return code \fB0\fR. 
.sp
If no authorization is specified, \fBauths\fR prints all the authorizations present in the specified name-service repository or based on \fBnsswitch.conf\fR(4).
.RE

.sp
.ne 2
.mk
.na
\fB\fBlist [-S \fIrepository\fR] [-vx] [-u \fIuser\fR]\fR\fR
.ad
.sp .6
.RS 4n
Lists all the authorizations that are assigned to the specified user (\fIuser\fR) or current user, if no username is specified, based on the name-service repository (\fIrepository\fR). 
.sp
If no repository is specified the information is looked up based on \fBnsswitch.conf\fR(4).
.RE

.sp
.ne 2
.mk
.na
\fB\fBmodify [-S \fIrepository\fR] [ -t \fIdescription\fR ] [ -h \fIhelp_file_path\fR]\fR\fR
.ad
.sp .6
.RS 4n
Modify an existing authorization in the specified name-service repository. If no repository is specified the authorization ill be modified in the first name-service that it is found in based on \fBnsswitch.conf\fR(4).
.RE

.sp
.ne 2
.mk
.na
\fB\fBremove [-S \fIrepository\fR] \fIauthorization\fR\fR\fR
.ad
.sp .6
.RS 4n
Remove an existing authorization (\fIauthorization\fR) in the specified name-service repository (\fIrepository\fR). 
.sp
If no repository is specified, the authorization is removed from the first name-service that it is found in based on \fBnsswitch.conf\fR(4).
.RE

.SH OPTIONS
.sp
.LP
The \fBauths\fR subcommands support the following options:
.sp
.ne 2
.mk
.na
\fB\fB-h\fR \fIhelp_file_path\fR\fR
.ad
.RS 21n
.rt  
Set the location of the help file which contains information about the authorization.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-S\fR \fIrepository\fR\fR
.ad
.RS 21n
.rt  
Specify the name-service repository (repository) to be modified or searched. The supported repository options are \fBfiles\fR and \fBldap\fR.
.LP
Note - 
.sp
.RS 2
When updating the ldap repository, both the LDAP server and client must be configured with \fBEnableShadowUpdate=true\fR.
.RE
If this option is omitted, look up is based on \fBnsswitch.conf\fR(4).
.RE

.sp
.ne 2
.mk
.na
\fB\fB-t\fR \fIdescription\fR\fR
.ad
.RS 21n
.rt  
Specify the textual description of the authorization.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-u\fR \fIuser\fR\fR
.ad
.RS 21n
.rt  
Specify the user name (\fIuser\fR) for which to list or check authorization. 
.sp
If this option is omitted, the current user is used.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-v\fR\fR
.ad
.RS 21n
.rt  
Print the description for the authorization.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-x\fR\fR
.ad
.RS 21n
.rt  
Only print the authorizations.
.RE

.SH EXAMPLES
.LP
\fBExample 1 \fRUsing the \fBauths\fR Command
.sp
.LP
The output from the \fBauths\fR output looks as follows:

.sp
.in +2
.nf
example% auths tester01 tester02
tester01 : solaris.system.date,solaris.jobs.admin
tester02 : solaris.system.*
example%
.fi
.in -2
.sp

.sp
.LP
There is no space after the comma separating the authorization names in \fBtester01\fR.

.sp
.LP
The following command lists the authorizations that are assigned to user \fBtester01\fR.

.sp
.in +2
.nf
example% auths list -u tester01

tester01:
solaris.jobs.admin
solaris.system.date
.fi
.in -2
.sp

.LP
\fBExample 2 \fRListing Authorizations
.sp
.LP
The following command lists the authorizations assigned to user \fBtester01\fR with descriptions.

.sp
.in +2
.nf
example% auths list -v -u tester01
tester01:
solaris.jobs.admin
Manage All Jobs
solaris.system.date
Set Date & Time
.fi
.in -2
.sp

.LP
\fBExample 3 \fRListing Authorizations
.sp
.LP
The following command lists the authorizations with descriptions in the name-service.

.sp
.in +2
.nf
example% auths info -v solaris.user.manage
solaris.user.manage:
Manage user accounts
example%
.fi
.in -2
.sp

.LP
\fBExample 4 \fRAdding an Authorization
.sp
.LP
The following adds the authorization \fBsolaris.foo.manage\fR with description \fBmanage foo\fR and help file \fBAuthFoo.html\fR to the file's name-service repository.

.sp
.in +2
.nf
example% auths add -t "manage foo"\e
              -h /home/abc/AuthFoo.html solaris.foo.manage
.fi
.in -2
.sp

.LP
\fBExample 5 \fRModifying an Authorization
.sp
.LP
The following example modifies the authorization \fBsolaris.foo.manage\fR, sets the description to \fBmanage foo and bar\fR, and sets the help file to \fBAuthFooBar.html\fR in LDAP.

.sp
.in +2
.nf
example% auths -S ldap modify -t " manage foo and bars"\e
              -h /home/abc/AuthFooBar.html solaris.foo.manage
.fi
.in -2
.sp

.SH EXIT STATUS
.sp
.LP
The following exit values are returned:
.sp
.ne 2
.mk
.na
\fB\fB0\fR\fR
.ad
.RS 5n
.rt  
Successful completion.
.RE

.sp
.ne 2
.mk
.na
\fB\fB1\fR\fR
.ad
.RS 5n
.rt  
An error occurred.
.RE

.sp
.ne 2
.mk
.na
\fB\fB2\fR\fR
.ad
.RS 5n
.rt  
User not authorized.
.RE

.SH FILES
.sp
.LP
\fB/etc/user_attr\fR
.sp
.LP
\fB/etc/security/auth_attr\fR
.sp
.LP
\fB/etc/security/policy.conf\fR
.sp
.LP
\fB/etc/security/prof_attr\fR
.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Availabilitysystem/core-os
.TE

.SH SEE ALSO
.sp
.LP
\fBprofiles\fR(1), \fBroles\fR(1), \fBgetauthattr\fR(3C), \fBauth_attr\fR(4), \fBpolicy.conf\fR(4), \fBprof_attr\fR(4), \fBuser_attr\fR(4), \fBattributes\fR(5)
.sp
.LP
\fIWorking With Oracle Solaris 11.3 Directory and         Naming Services: LDAP\fR