1roleadd(1M) System Administration Commands roleadd(1M)
2
6 roleadd - administer a new role account on the system
7
9 roleadd [-c comment] [-d dir] [-e expire] [-f inactive]
10 [-g group] [-G group [, group...]] [-m [-k skel_dir]]
11 [-u uid [-o]] [-s shell]
12 [-A authorization [,authorization...]] [-K key=value] role
13 roleadd -D [-b base_dir] [-e expire] [-f inactive]
16 [-g group] [-A authorization [,authorization...]]
17 [-P profile [,profile...] [-K key=value]]
18
21 roleadd adds a role entry to the /etc/passwd and /etc/shadow and
22 /etc/user_attr files. The -A and -P options respectively assign autho‐
23 rizations and profiles to the role. Roles cannot be assigned to other
24 roles. The -K option adds a key=value pair to /etc/user_attr for a
25 role. Multiple key=value pairs can be added with multiple -K options.
26 roleadd also creates supplementary group memberships for the role (-G
29 option) and creates the home directory (-m option) for the role if
30 requested. The new role account remains locked until the passwd(1) com‐
31 mand is executed.
32 Specifying roleadd -D with the -g, -b, -f, -e, or -K option (or any
35 combination of these option) sets the default values for the respective
36 fields. See the -D option. Subsequent roleadd commands without the -D
37 option use these arguments.
38 The system file entries created with this command have a limit of 512
41 characters per line. Specifying long arguments to several options can
42 exceed this limit.
43 The role (role) field accepts a string of no more than eight bytes con‐
46 sisting of characters from the set of alphabetic characters, numeric
47 characters, period (.), underscore (_), and hyphen (-). The first char‐
48 acter should be alphabetic and the field should contain at least one
49 lower case alphabetic character. A warning message is written if these
50 restrictions are not met. A future Solaris release might refuse to
51 accept role fields that do not meet these requirements.
52 The role field must contain at least one character and must not contain
55 a colon (:) or a newline (\n).
56
58 The following options are supported:
59 -A authorization One or more comma separated authorizations defined
61 in auth_attr(4). Only a user or role who has grant
62 rights to the authorization can assign it to an
63 account
64 -b base_dir The default base directory for the system if -d dir
67 is not specified. base_dir is concatenated with the
68 account name to define the home directory. If the
69 -m option is not used, base_dir must exist.
70 -c comment Any text string. It is generally a short descrip‐
73 tion of the role. This information is stored in the
74 role's /etc/passwd entry.
75 -d dir The home directory of the new role. It defaults to
78 base_dir/account_name, where base_dir is the base
79 directory for new login home directories and
80 account_name is the new role name.
81 -D Display the default values for group, base_dir,
84 skel_dir, shell, inactive, expire and key=value
85 pairs. When used with the -g, -b, -f, or -K,
86 options, the -D option sets the default values for
87 the specified fields. The default values are:
88 group
90 other (GID of 1)
92 base_dir
95 /home
97 skel_dir
100 /etc/skel
102 shell
105 /bin/pfsh
107 inactive
110 0
112 expire
115 Null
117 auths
120 Null
122 profiles
125 Null
127 key=value (pairs defined in user_attr(4)
130 not present
132 -e expire Specify the expiration date for a role. After this
136 date, no user is able to access this role. The
137 expire option argument is a date entered using one
138 of the date formats included in the template file
139 /etc/datemsk. See getdate(3C).
140 If the date format that you choose includes spaces,
142 it must be quoted. For example, you can enter
143 10/6/90 or October 6, 1990. A null value (" ")
144 defeats the status of the expired date. This option
145 is useful for creating temporary roles.
146 -f inactive The maximum number of days allowed between uses of
149 a role ID before that ID is declared invalid. Nor‐
150 mal values are positive integers. A value of 0
151 defeats the status.
152 -g group An existing group's integer ID or character-string
155 name. Without the -D option, it defines the new
156 role's primary group membership and defaults to the
157 default group. You can reset this default value by
158 invoking roleadd -D -g group.
159 -G group An existing group's integer ID or character-string
162 name. It defines the new role's supplementary group
163 membership. Duplicates between group with the -g
164 and -G options are ignored. No more than
165 NGROUPS_MAX groups can be specified.
166 -k skel_dir A directory that contains skeleton information
169 (such as .profile) that can be copied into a new
170 role's home directory. This directory must already
171 exist. The system provides the /etc/skel directory
172 that can be used for this purpose.
173 -K key=value A key=value pair to add to the role's attributes.
176 Multiple -K options can be used to add multiple
177 key=value pairs. The generic -K option with the
178 appropriate key can be used instead of the specific
179 implied key options (-A and -P). See user_attr(4)
180 for a list of valid key=value pairs. The "type" key
181 is not a valid key for this option. Keys can not be
182 repeated.
183 -m Create the new role's home directory if it does not
186 already exist. If the directory already exists, it
187 must have read, write, and execute permissions by
188 group, where group is the role's primary group.
189 -o This option allows a UID to be duplicated (non-
192 unique).
193 -P profile One or more comma-separated execution profiles
196 defined in prof_attr(4).
197 -s shell Full pathname of the program used as the user's
200 shell on login. It defaults to an empty field caus‐
201 ing the system to use /bin/pfsh as the default. The
202 value of shell must be a valid executable file.
203 -u uid The UID of the new role. This UID must be a non-
206 negative decimal integer below MAXUID as defined in
207 <sys/param.h>. The UID defaults to the next avail‐
208 able (unique) number above the highest number cur‐
209 rently assigned. For example, if UIDs 100, 105, and
210 200 are assigned, the next default UID number is
211 201. (UIDs from 0-99 are reserved for possible use
212 in future applications.)
213
216 /etc/datemsk
217 /etc/passwd
220 /etc/shadow
223 /etc/group
226 /etc/skel
229 /usr/include/limits.h
232 /etc/user_attr
235
237 See attributes(5) for descriptions of the following attributes:
238 ┌─────────────────────────────┬─────────────────────────────┐
243 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
244 ├─────────────────────────────┼─────────────────────────────┤
245 │Availability │SUNWcsu │
246 ├─────────────────────────────┼─────────────────────────────┤
247 │Interface Stability │Evolving │
248 └─────────────────────────────┴─────────────────────────────┘
249
251 passwd(1), pfsh(1), profiles(1), roles(1), users(1B), groupadd(1M),
252 groupdel(1M), groupmod(1M), grpck(1M), logins(1M), pwck(1M),
253 userdel(1M), usermod(1M), getdate(3C), auth_attr(4), passwd(4),
254 prof_attr(4), user_attr(4), attributes(5)
255
257 In case of an error, roleadd prints an error message and exits with a
258 non-zero status.
259 The following indicates that login specified is already in use:
262 UX: roleadd: ERROR: login is already in use. Choose another.
264 The following indicates that the uid specified with the -u option is
269 not unique:
270 UX: roleadd: ERROR: uid uid is already in use. Choose another.
272 The following indicates that the group specified with the -g option is
277 already in use:
278 UX: roleadd: ERROR: group group does not exist. Choose another.
280 The following indicates that the uid specified with the -u option is in
285 the range of reserved UIDs (from 0-99):
286 UX: roleadd: WARNING: uid uid is reserved.
288 The following indicates that the uid specified with the -u option
293 exceeds MAXUID as defined in <sys/param.h>:
294 UX: roleadd: ERROR: uid uid is too big. Choose another.
296 The following indicates that the /etc/passwd or /etc/shadow files do
301 not exist:
302 UX: roleadd: ERROR: Cannot update system files - login cannot be created.
304
308 If a network nameservice such as NIS or NIS+ is being used to supple‐
309 ment the local /etc/passwd file with additional entries, roleadd cannot
310 change information supplied by the network nameservice.
311SunOS 5.11 21 Feb 2006 roleadd(1M)