'\" te
.\" Copyright 1989 AT&T All Rights Reserved.
.\" Portions Copyright (c) 1989, 2014, Oracle and/or its affiliates. All rights reserved.
.TH roleadd 1M "27 Feb 2014" "SunOS 5.11" "System Administration Commands"
.SH NAME
roleadd \- administer a new role account on the system
.SH SYNOPSIS
.LP
.nf
\fBroleadd\fR [\fB-c\fR \fIcomment\fR] [\fB-b\fR \fIbase_dir\fR | \fB-d\fR \fIdir\fR] [\fB-e\fR \fIexpire\fR] [\fB-f\fR \fIinactive\fR] 
     [\fB-g\fR \fIgroup\fR] [\fB-G\fR \fIgroup\fR [, \fIgroup\fR...]] [\fB-m\fR [\fB-k\fR \fIskel_dir\fR]] 
     [\fB-u\fR \fIuid\fR [\fB-o\fR]] [\fB-s\fR \fIshell\fR] [\fB-S\fR \fIrepository\fR]
     [\fB-A\fR \fIauthorization\fR [,\fIauthorization...\fR]] [\fB-K\fR \fIkey=value\fR] \fIrole\fR
.fi

.LP
.nf
\fBroleadd\fR \fB-D\fR [\fB-b\fR \fIbase_dir\fR | \fB-d\fR \fIdir\fR] [\fB-e\fR \fIexpire\fR] [\fB-f\fR \fIinactive\fR] 
     [\fB-g\fR \fIgroup\fR] [\fB-A\fR \fIauthorization\fR [,\fIauthorization...\fR]] 
     [\fB-P\fR \fIprofile\fR [,\fIprofile...\fR] [\fB-K\fR \fIkey=value\fR]]
.fi

.SH DESCRIPTION
.sp
.LP
\fBroleadd\fR adds a role entry to the \fBpasswd\fR and \fBshadow\fR and \fBuser_attr\fR databases specified by the \fB-S\fR option. The default repository is \fBfiles\fR. The \fB-A\fR and \fB-P\fR options respectively assign authorizations and profiles to the role. Roles cannot be assigned to other roles. The \fB-K\fR option adds a \fIkey=value\fR pair to \fBuser_attr\fR for a role. Multiple \fIkey=value\fR pairs can be added with multiple \fB-K\fR options.
.sp
.LP
\fBroleadd\fR also creates supplementary group memberships for the role (\fB-G\fR option) and creates the home directory (\fB-m\fR option) for the role if requested. The new role account remains locked until the \fBpasswd\fR(1) command is executed.
.sp
.LP
Specifying \fBroleadd\fR \fB-D\fR with the \fB-g\fR, \fB-b\fR, \fB-f\fR, \fB-e\fR, or \fB-K\fR option (or any combination of these option) sets the default values for the respective fields. See the \fB-D\fR option. Subsequent \fBroleadd\fR commands without the \fB-D\fR option use these arguments.
.sp
.LP
The system file entries created with this command have a limit of 512 characters per line. Specifying long arguments to several options can exceed this limit.
.sp
.LP
The role (\fBrole\fR) field accepts a string of no more than eight bytes consisting of characters from the set of alphabetic characters, numeric characters, period (\fB\&.\fR), underscore (\fB_\fR), and hyphen (\fB-\fR). The first character should be alphabetic and the field should contain at least one lower case alphabetic character. A warning message is written if these restrictions are not met. A future Solaris release might refuse to accept role fields that do not meet these requirements. 
.sp
.LP
The \fBrole\fR field must contain at least one character and must not contain a colon (\fB:\fR) or a newline (\fB\en\fR).
.sp
.LP
An administrator must be granted the User Management Profile to be able to create a new role. The authorizations required to set the various fields in \fBpasswd\fR, \fBshadow\fR and \fBuser_attr\fR can be found in \fBpasswd\fR(4), \fBshadow\fR(4), and \fBuser_attr\fR(4). The authorizations required to assign groups can be found in \fBgroup\fR(4).
.SH OPTIONS
.sp
.LP
The following options are supported:
.sp
.ne 2
.mk
.na
\fB\fB-A\fR \fIauthorization\fR\fR
.ad
.sp .6
.RS 4n
One or more comma separated authorizations defined in \fBauth_attr\fR(4). Only a user or role who has grant rights to the authorization can assign it to an account
.RE

.sp
.ne 2
.mk
.na
\fB\fB-b\fR \fIbase_dir\fR\fR
.ad
.sp .6
.RS 4n
The default base directory for the system if \fB-d\fR \fIdir\fR is not specified. \fIbase_dir\fR is concatenated with the account name to define the home directory. If the \fB-m\fR option is not used, \fIbase_dir\fR must exist.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-c\fR \fIcomment\fR\fR
.ad
.sp .6
.RS 4n
Any text string. It is generally a short description of the role. This information is stored in the role's \fBpasswd\fR entry.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-d\fR \fIdir\fR | \fIserver\fR:\fIdir\fR\fR
.ad
.sp .6
.RS 4n
Specifies the home directory path for the new role. If no server name is specified, the specified directory is maintained in the \fBpasswd\fR(4) database.
.sp
The optional server name specifies the host on which the home directory resides. Entries in this form depend on the automounter, and are maintained in the \fBauto_home\fR map. The path \fB/home/\fIusername\fR\fR is maintained in the \fBpasswd\fR(4) database. When the user subsequently references \fB/home/\fIusername\fR\fR, the automounter will mount the specified directory on \fB/home/\fIusername\fR\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-D\fR\fR
.ad
.sp .6
.RS 4n
Display the default values for \fIgroup\fR, \fIbase_dir\fR, \fIskel_dir\fR, \fIshell\fR, \fIinactive\fR, \fIexpire\fR and \fIkey=value\fR pairs. When used with the \fB-g\fR, \fB-b\fR, \fB-f\fR, or \fB-K\fR, options, the \fB-D\fR option sets the default values for the specified fields. The default values are:
.sp
.ne 2
.mk
.na
\fBgroup\fR
.ad
.sp .6
.RS 4n
\fBother\fR (\fBGID\fR of 1)
.RE

.sp
.ne 2
.mk
.na
\fBbase_dir\fR
.ad
.sp .6
.RS 4n
\fB/export/home\fR
.RE

.sp
.ne 2
.mk
.na
\fBskel_dir\fR
.ad
.sp .6
.RS 4n
\fB/etc/skel\fR
.RE

.sp
.ne 2
.mk
.na
\fBshell\fR
.ad
.sp .6
.RS 4n
\fB/bin/pfsh\fR
.RE

.sp
.ne 2
.mk
.na
\fBinactive\fR
.ad
.sp .6
.RS 4n
\fB0\fR
.RE

.sp
.ne 2
.mk
.na
\fBexpire\fR
.ad
.sp .6
.RS 4n
Null
.RE

.sp
.ne 2
.mk
.na
\fBauths\fR
.ad
.sp .6
.RS 4n
Null
.RE

.sp
.ne 2
.mk
.na
\fBprofiles\fR
.ad
.sp .6
.RS 4n
Null
.RE

.sp
.ne 2
.mk
.na
\fBkey=value (pairs defined in \fBuser_attr\fR(4)\fR
.ad
.sp .6
.RS 4n
not present
.RE

.RE

.sp
.ne 2
.mk
.na
\fB\fB-e\fR \fIexpire\fR\fR
.ad
.sp .6
.RS 4n
Specify the expiration date for a role. After this date, no user is able to access this role. The expire option argument is a date entered using one of the date formats included in the template file \fB/etc/datemsk\fR. See \fBgetdate\fR(3C).
.sp
If the date format that you choose includes spaces, it must be quoted. For example, you can enter \fB10/6/90\fR or \fBOctober 6, 1990\fR. A null value (\fB" "\fR) defeats the status of the expired date. This option is useful for creating temporary roles.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-f\fR \fIinactive\fR\fR
.ad
.sp .6
.RS 4n
The maximum number of days allowed between uses of a role ID before that ID is declared invalid. Normal values are positive integers. A value of \fB0\fR defeats the status.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-g\fR \fIgroup\fR\fR
.ad
.sp .6
.RS 4n
An existing group's integer ID or character-string name. Without the \fB-D\fR option, it defines the new role's primary group membership and defaults to the default group. You can reset this default value by invoking \fBroleadd\fR \fB-D\fR \fB-g\fR \fIgroup\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-G\fR \fIgroup\fR\fR
.ad
.sp .6
.RS 4n
An existing group's integer \fBID\fR or character-string name. It defines the new role's supplementary group membership. Duplicates between \fIgroup\fR with the \fB-g\fR and \fB-G\fR options are ignored. No more than \fBNGROUPS_MAX\fR groups can be specified.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-k\fR \fIskel_dir\fR\fR
.ad
.sp .6
.RS 4n
A directory that contains skeleton information (such as \fB\&.profile\fR) that can be copied into a new role's home directory. This directory must already exist. The system provides the \fB/etc/skel\fR directory that can be used for this purpose.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-K\fR \fIkey=value\fR\fR
.ad
.sp .6
.RS 4n
A \fIkey=value\fR pair to add to the role's attributes. Multiple \fB-K\fR options can be used to add multiple \fIkey=value\fR pairs. The generic \fB-K\fR option with the appropriate key can be used instead of the specific implied key options (\fB-A\fR and \fB-P\fR). See \fBuser_attr\fR(4) for a list of valid \fIkey=value\fR pairs. The "type" key is not a valid key for this option. Keys can not be repeated. 
.RE

.sp
.ne 2
.mk
.na
\fB\fB-m\fR\fR
.ad
.sp .6
.RS 4n
Create the new role's home directory if it does not already exist. If the directory already exists, it must have read, write, and execute permissions by \fIgroup\fR, where \fIgroup\fR is the role's primary group. If the server name specified to the \fB-d\fR option is a remote host then the system will not attempt to create the home directory.
.sp
If the directory does not already  exist and the parent directory is the mount point of a ZFS dataset, then a child of that dataset will be created and mounted at the specified location. The role is delegated permissions to create ZFS snapshots and promote them. The newly created dataset will inherit the encryption setting from its parent. If it is encrypted, the role is granted permission to change its wrapping key.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-o\fR\fR
.ad
.sp .6
.RS 4n
This option allows a \fBUID\fR to be duplicated (non-unique).
.RE

.sp
.ne 2
.mk
.na
\fB\fB-P\fR \fIprofile\fR\fR
.ad
.sp .6
.RS 4n
One or more comma-separated execution profiles defined in \fBprof_attr\fR(4).
.RE

.sp
.ne 2
.mk
.na
\fB\fB-s\fR \fIshell\fR\fR
.ad
.sp .6
.RS 4n
Full pathname of the program used as the user's shell on login. It defaults to an empty field causing the system to use \fB/bin/pfsh\fR as the default. The value of \fIshell\fR must be a valid executable file.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-S\fR \fIrepository\fR\fR
.ad
.sp .6
.RS 4n
The valid repositories are \fBfiles\fR, \fBldap\fR. The repository specifies which name service will be updated. The default repository is \fBfiles\fR. When the repository is \fBfiles\fR, the authorizations, profiles, and roles can be present in other name service repositories and can be assigned to a user in the \fBfiles\fR repository. When the repository is \fBldap\fR, both the LDAP server and client must be configured with \fBEnableShadowUpdate=true\fR. Also, all the assignable attributes must be present in the \fBldap\fR repository.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-u\fR \fIuid\fR\fR
.ad
.sp .6
.RS 4n
The \fBUID\fR of the new role. This \fBUID\fR must be a non-negative decimal integer below \fBMAXUID\fR as defined in \fB<sys/param.h>\fR\&. The \fBUID\fR defaults to the next available (unique) number above the highest number currently assigned. For example, if \fBUID\fRs 100, 105, and 200 are assigned, the next default \fBUID\fR number is 201. (\fBUID\fRs from \fB0\fR-\fB99\fR are reserved for possible use in future applications.)
.RE

.SH EXIT STATUS
.sp
.LP
In case of an error, \fBroleadd\fR command prints an error message and exits with one of the following values. If the error occurred because LDAP is misconfigured, the following values are preceded by "LDAP configuration problem":
.sp
.ne 2
.mk
.na
\fB\fB1\fR\fR
.ad
.RS 6n
.rt  
No permission for attempted operation.
.RE

.sp
.ne 2
.mk
.na
\fB\fB2\fR\fR
.ad
.RS 6n
.rt  
The command syntax was invalid. A usage message for the \fBusermod\fR command is displayed.
.RE

.sp
.ne 2
.mk
.na
\fB\fB3\fR\fR
.ad
.RS 6n
.rt  
An invalid argument was provided to an option.
.RE

.sp
.ne 2
.mk
.na
\fB\fB4\fR\fR
.ad
.RS 6n
.rt  
The \fIgid\fR or \fIuid\fR given with the \fB-u\fR option is already in use.
.RE

.sp
.ne 2
.mk
.na
\fB\fB5\fR\fR
.ad
.RS 6n
.rt  
The \fBpassword\fR and \fBshadow\fR files are not consistent with each other. \fBpwconv\fR(1M) might be of use to correct possible errors. See \fBpasswd\fR(4) and \fBshadow\fR(4).
.RE

.sp
.ne 2
.mk
.na
\fB\fB6\fR\fR
.ad
.RS 6n
.rt  
The login to be modified does not exist, the \fIgid\fR or the \fIuid\fR does not exist.
.RE

.sp
.ne 2
.mk
.na
\fB\fB7\fR\fR
.ad
.RS 6n
.rt  
The \fBgroup\fR, \fBpasswd\fR, or \fBshadow\fR file is missing.
.RE

.sp
.ne 2
.mk
.na
\fB\fB9\fR\fR
.ad
.RS 6n
.rt  
A group or user name is already in use.
.RE

.sp
.ne 2
.mk
.na
\fB\fB10\fR\fR
.ad
.RS 6n
.rt  
Cannot update the \fBpasswd\fR, \fBshadow\fR, or \fBuser_attr\fR file.
.RE

.sp
.ne 2
.mk
.na
\fB\fB11\fR\fR
.ad
.RS 6n
.rt  
Insufficient space to move the home directory (\fB-m\fR option).
.RE

.sp
.ne 2
.mk
.na
\fB\fB12\fR\fR
.ad
.RS 6n
.rt  
Unable to create, remove, or move the new home directory.
.RE

.sp
.ne 2
.mk
.na
\fB\fB13\fR\fR
.ad
.RS 6n
.rt  
Requested login is already in use.
.RE

.sp
.ne 2
.mk
.na
\fB\fB14\fR\fR
.ad
.RS 6n
.rt  
Unexpected failure.
.RE

.sp
.ne 2
.mk
.na
\fB\fB16\fR\fR
.ad
.RS 6n
.rt  
Unable to update the group database.
.RE

.sp
.ne 2
.mk
.na
\fB\fB17\fR\fR
.ad
.RS 6n
.rt  
Unable to update the project database.
.RE

.sp
.ne 2
.mk
.na
\fB\fB18\fR\fR
.ad
.RS 6n
.rt  
Insufficient authorization.
.RE

.sp
.ne 2
.mk
.na
\fB\fB19\fR\fR
.ad
.RS 6n
.rt  
Does not have role.
.RE

.sp
.ne 2
.mk
.na
\fB\fB20\fR\fR
.ad
.RS 6n
.rt  
Does not have profile.
.RE

.sp
.ne 2
.mk
.na
\fB\fB21\fR\fR
.ad
.RS 6n
.rt  
Does not have privilege.
.RE

.sp
.ne 2
.mk
.na
\fB\fB22\fR\fR
.ad
.RS 6n
.rt  
Does not have label.
.RE

.sp
.ne 2
.mk
.na
\fB\fB23\fR\fR
.ad
.RS 6n
.rt  
Does not have group.
.RE

.sp
.ne 2
.mk
.na
\fB\fB24\fR\fR
.ad
.RS 6n
.rt  
System not running Trusted Extensions.
.RE

.sp
.ne 2
.mk
.na
\fB\fB25\fR\fR
.ad
.RS 6n
.rt  
Does not have project.
.RE

.sp
.ne 2
.mk
.na
\fB\fB26\fR\fR
.ad
.RS 6n
.rt  
Unable to update \fBauto_home\fR.
.RE

.SH FILES
.sp
.LP
\fB/etc/datemsk\fR
.sp
.LP
\fB/etc/passwd\fR
.sp
.LP
\fB/etc/shadow\fR
.sp
.LP
\fB/etc/group\fR
.sp
.LP
\fB/etc/skel\fR
.sp
.LP
\fB/usr/include/limits.h\fR
.sp
.LP
\fB/etc/user_attr\fR
.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Availabilitysystem/core-os
_
Interface StabilityCommitted
.TE

.SH SEE ALSO
.sp
.LP
\fBauths\fR(1), \fBpasswd\fR(1), \fBpfexec\fR(1), \fBprofiles\fR(1), \fBroles\fR(1), \fBusers\fR(1B), \fBgroupadd\fR(1M), \fBgroupdel\fR(1M), \fBgroupmod\fR(1M), \fBgrpck\fR(1M), \fBlogins\fR(1M), \fBpwck\fR(1M), \fBuserdel\fR(1M), \fBusermod\fR(1M), \fBgetdate\fR(3C), \fBauth_attr\fR(4), \fBgroup\fR(4), \fBpasswd\fR(4), \fBprof_attr\fR(4), \fBshadow\fR(4), \fBuser_attr\fR(4), \fBattributes\fR(5) 
.sp
.LP
\fIWorking With Oracle Solaris 11.3 Directory and         Naming Services: LDAP\fR
.SH DIAGNOSTICS
.sp
.LP
In case of an error, \fBroleadd\fR prints an error message and exits with a non-zero status.
.sp
.LP
The following indicates that \fBlogin\fR specified is already in use:
.sp
.in +2
.nf
UX: roleadd: ERROR: login is already in use. Choose another.
.fi
.in -2
.sp

.sp
.LP
The following indicates that the \fIuid\fR specified with the \fB-u\fR option is not unique:
.sp
.in +2
.nf
UX: roleadd: ERROR: uid \fIuid\fR is already in use. Choose another. 
.fi
.in -2
.sp

.sp
.LP
The following indicates that the \fIgroup\fR specified with the \fB-g\fR option is already in use:
.sp
.in +2
.nf
UX: roleadd: ERROR: group \fIgroup\fR does not exist. Choose another. 
.fi
.in -2
.sp

.sp
.LP
The following indicates that the \fIuid\fR specified with the \fB-u\fR option is in the range of reserved \fBUID\fRs (from \fB0\fR-\fB99\fR):
.sp
.in +2
.nf
UX: roleadd: WARNING: uid \fIuid\fR is reserved.
.fi
.in -2
.sp

.sp
.LP
The following indicates that the \fIuid\fR specified with the \fB-u\fR option exceeds \fBMAXUID\fR as defined in \fB<sys/param.h>\fR:
.sp
.in +2
.nf
UX: roleadd: ERROR: uid \fIuid\fR is too big. Choose another.
.fi
.in -2
.sp

.sp
.LP
The following indicates that the \fB/etc/passwd\fR or \fB/etc/shadow\fR files do not exist:
.sp
.in +2
.nf
UX: roleadd: ERROR: Cannot update system files - login cannot be created.
.fi
.in -2
.sp

.sp
.LP
The following indicates that the user executing the command does not have sufficient authorization to perform the operation:
.sp
.in +2
.nf
UX: roleadd: ERROR: Permission denied.
.fi
.in -2
.sp