1roleadd(1M)             System Administration Commands             roleadd(1M)
2
3
4

NAME

6       roleadd - administer a new role account on the system
7

SYNOPSIS

9       roleadd [-c comment] [-d dir] [-e expire] [-f inactive]
10            [-g group] [-G group [, group...]] [-m [-k skel_dir]]
11            [-u uid [-o]] [-s shell]
12            [-A authorization [,authorization...]] [-K key=value] role
13
14
15       roleadd -D [-b base_dir] [-e expire] [-f inactive]
16            [-g group] [-A authorization [,authorization...]]
17            [-P profile [,profile...] [-K key=value]]
18
19

DESCRIPTION

21       roleadd  adds  a  role  entry  to  the  /etc/passwd and /etc/shadow and
22       /etc/user_attr files. The -A and -P options respectively assign  autho‐
23       rizations  and  profiles to the role. Roles cannot be assigned to other
24       roles. The -K option adds a key=value  pair  to  /etc/user_attr  for  a
25       role. Multiple key=value pairs can be added with multiple -K options.
26
27
28       roleadd  also  creates supplementary group memberships for the role (-G
29       option) and creates the home directory (-m  option)  for  the  role  if
30       requested. The new role account remains locked until the passwd(1) com‐
31       mand is executed.
32
33
34       Specifying roleadd -D with the -g, -b, -f, -e, or  -K  option  (or  any
35       combination of these option) sets the default values for the respective
36       fields. See the -D option. Subsequent roleadd commands without  the  -D
37       option use these arguments.
38
39
40       The  system  file entries created with this command have a limit of 512
41       characters per line. Specifying long arguments to several  options  can
42       exceed this limit.
43
44
45       The role (role) field accepts a string of no more than eight bytes con‐
46       sisting of characters from the set of  alphabetic  characters,  numeric
47       characters, period (.), underscore (_), and hyphen (-). The first char‐
48       acter should be alphabetic and the field should contain  at  least  one
49       lower  case alphabetic character. A warning message is written if these
50       restrictions are not met. A future  Solaris  release  might  refuse  to
51       accept role fields that do not meet these requirements.
52
53
54       The role field must contain at least one character and must not contain
55       a colon (:) or a newline (\n).
56

OPTIONS

58       The following options are supported:
59
60       -A authorization    One or more comma separated authorizations  defined
61                           in  auth_attr(4). Only a user or role who has grant
62                           rights to the authorization can  assign  it  to  an
63                           account
64
65
66       -b base_dir         The default base directory for the system if -d dir
67                           is not specified. base_dir is concatenated with the
68                           account  name  to define the home directory. If the
69                           -m option is not used, base_dir must exist.
70
71
72       -c comment          Any text string. It is generally a  short  descrip‐
73                           tion of the role. This information is stored in the
74                           role's /etc/passwd entry.
75
76
77       -d dir              The home directory of the new role. It defaults  to
78                           base_dir/account_name,  where  base_dir is the base
79                           directory  for  new  login  home  directories   and
80                           account_name is the new role name.
81
82
83       -D                  Display  the  default  values  for group, base_dir,
84                           skel_dir, shell,  inactive,  expire  and  key=value
85                           pairs.  When  used  with  the  -g,  -b,  -f, or -K,
86                           options, the -D option sets the default values  for
87                           the specified fields. The default values are:
88
89                           group
90
91                               other (GID of 1)
92
93
94                           base_dir
95
96                               /home
97
98
99                           skel_dir
100
101                               /etc/skel
102
103
104                           shell
105
106                               /bin/pfsh
107
108
109                           inactive
110
111                               0
112
113
114                           expire
115
116                               Null
117
118
119                           auths
120
121                               Null
122
123
124                           profiles
125
126                               Null
127
128
129                           key=value (pairs defined in user_attr(4)
130
131                               not present
132
133
134
135       -e expire           Specify  the expiration date for a role. After this
136                           date, no user is able  to  access  this  role.  The
137                           expire  option argument is a date entered using one
138                           of the date formats included in the  template  file
139                           /etc/datemsk. See getdate(3C).
140
141                           If the date format that you choose includes spaces,
142                           it must be  quoted.  For  example,  you  can  enter
143                           10/6/90  or  October  6,  1990.  A null value (" ")
144                           defeats the status of the expired date. This option
145                           is useful for creating temporary roles.
146
147
148       -f inactive         The  maximum number of days allowed between uses of
149                           a role ID before that ID is declared invalid.  Nor‐
150                           mal  values  are  positive  integers. A value of  0
151                           defeats the status.
152
153
154       -g group            An existing group's integer ID or  character-string
155                           name.  Without  the  -D  option, it defines the new
156                           role's primary group membership and defaults to the
157                           default  group. You can reset this default value by
158                           invoking roleadd -D -g group.
159
160
161       -G group            An existing group's integer ID or  character-string
162                           name. It defines the new role's supplementary group
163                           membership. Duplicates between group  with  the  -g
164                           and   -G   options   are   ignored.  No  more  than
165                           NGROUPS_MAX groups can be specified.
166
167
168       -k skel_dir         A  directory  that  contains  skeleton  information
169                           (such  as  .profile)  that can be copied into a new
170                           role's home directory. This directory must  already
171                           exist.  The system provides the /etc/skel directory
172                           that can be used for this purpose.
173
174
175       -K key=value        A key=value pair to add to the  role's  attributes.
176                           Multiple  -K  options  can  be used to add multiple
177                           key=value pairs. The generic  -K  option  with  the
178                           appropriate key can be used instead of the specific
179                           implied key options (-A and -P).  See  user_attr(4)
180                           for a list of valid key=value pairs. The "type" key
181                           is not a valid key for this option. Keys can not be
182                           repeated.
183
184
185       -m                  Create the new role's home directory if it does not
186                           already exist. If the directory already exists,  it
187                           must  have  read, write, and execute permissions by
188                           group, where group is the role's primary group.
189
190
191       -o                  This option allows a UID  to  be  duplicated  (non-
192                           unique).
193
194
195       -P profile          One  or  more  comma-separated  execution  profiles
196                           defined in prof_attr(4).
197
198
199       -s shell            Full pathname of the program  used  as  the  user's
200                           shell on login. It defaults to an empty field caus‐
201                           ing the system to use /bin/pfsh as the default. The
202                           value of shell must be a valid executable file.
203
204
205       -u uid              The  UID  of  the new role. This UID must be a non-
206                           negative decimal integer below MAXUID as defined in
207                           <sys/param.h>.  The UID defaults to the next avail‐
208                           able (unique) number above the highest number  cur‐
209                           rently assigned. For example, if UIDs 100, 105, and
210                           200 are assigned, the next default  UID  number  is
211                           201.  (UIDs from 0-99 are reserved for possible use
212                           in future applications.)
213
214

FILES

216       /etc/datemsk
217
218
219       /etc/passwd
220
221
222       /etc/shadow
223
224
225       /etc/group
226
227
228       /etc/skel
229
230
231       /usr/include/limits.h
232
233
234       /etc/user_attr
235

ATTRIBUTES

237       See attributes(5) for descriptions of the following attributes:
238
239
240
241
242       ┌─────────────────────────────┬─────────────────────────────┐
243       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
244       ├─────────────────────────────┼─────────────────────────────┤
245       │Availability                 │SUNWcsu                      │
246       ├─────────────────────────────┼─────────────────────────────┤
247       │Interface Stability          │Evolving                     │
248       └─────────────────────────────┴─────────────────────────────┘
249

SEE ALSO

251       passwd(1), pfsh(1),  profiles(1),  roles(1),  users(1B),  groupadd(1M),
252       groupdel(1M),    groupmod(1M),    grpck(1M),    logins(1M),   pwck(1M),
253       userdel(1M),   usermod(1M),   getdate(3C),   auth_attr(4),   passwd(4),
254       prof_attr(4), user_attr(4), attributes(5)
255

DIAGNOSTICS

257       In  case  of an error, roleadd prints an error message and exits with a
258       non-zero status.
259
260
261       The following indicates that login specified is already in use:
262
263         UX: roleadd: ERROR: login is already in use. Choose another.
264
265
266
267
268       The following indicates that the uid specified with the  -u  option  is
269       not unique:
270
271         UX: roleadd: ERROR: uid uid is already in use. Choose another.
272
273
274
275
276       The  following indicates that the group specified with the -g option is
277       already in use:
278
279         UX: roleadd: ERROR: group group does not exist. Choose another.
280
281
282
283
284       The following indicates that the uid specified with the -u option is in
285       the range of reserved UIDs (from 0-99):
286
287         UX: roleadd: WARNING: uid uid is reserved.
288
289
290
291
292       The  following  indicates  that  the  uid  specified with the -u option
293       exceeds MAXUID as defined in <sys/param.h>:
294
295         UX: roleadd: ERROR: uid uid is too big. Choose another.
296
297
298
299
300       The following indicates that the /etc/passwd or  /etc/shadow  files  do
301       not exist:
302
303         UX: roleadd: ERROR: Cannot update system files - login cannot be created.
304
305
306

NOTES

308       If  a  network nameservice such as NIS or NIS+ is being used to supple‐
309       ment the local /etc/passwd file with additional entries, roleadd cannot
310       change information supplied by the network nameservice.
311
312
313
314SunOS 5.11                        21 Feb 2006                      roleadd(1M)
Impressum