About RBAC and using pfexec

Modified: 08 Sep 2022 04:28 UTC

In SmartOS, Role Based Access Control (RBAC) offers system administrators a wide degree of flexibility and power for managing user access rights. One of the keys to using RBAC is managing access through a Rights profile shell. A Rights profile is a collection of administrative capabilities that system administrators can assign to a role or to a user.

System administrators can define specific commands normally reserved for root access that normal users can run from a specific profile. This eliminates the hazard of distributing root access to normal users who only need to run specific commands that require root access.

Sudo vs. pfexec

One of the main problems with sudo is the lack of privilege awareness. This means for normal users, sudo is an "all or nothing" proposition in terms of granting users access to the entire system. Like sudo, running a pfexec command is done by simply prepending pfexec before the command. The command will execute as if the user has root privileges provided the command is available to the profile shell.

Other advantages/disadvantages of using pfexec vs. using sudo are below.

Advantages of using sudo

Advantages of using pfexec