ROLEADD(1M)ROLEADD(1M)NAME
roleadd - administer a new role account on the system
SYNOPSIS
roleadd [-c comment] [-d dir] [-e expire] [-f inactive]
[-g group] [-G group [, group...]] [-m [-k skel_dir]]
[-u uid [-o]] [-s shell]
[-A authorization [,authorization...]] [-K key=value] role
roleadd -D [-b base_dir] [-e expire] [-f inactive]
[-g group] [-A authorization [,authorization...]]
[-P profile [,profile...] [-K key=value]]
DESCRIPTION
roleadd adds a role entry to the /etc/passwd and /etc/shadow and
/etc/user_attr files. The -A and -P options respectively assign autho‐
rizations and profiles to the role. Roles cannot be assigned to other
roles. The -K option adds a key=value pair to /etc/user_attr for a
role. Multiple key=value pairs can be added with multiple -K options.
roleadd also creates supplementary group memberships for the role (-G
option) and creates the home directory (-m option) for the role if
requested. The new role account remains locked until the passwd(1) com‐
mand is executed.
Specifying roleadd -D with the -g, -b, -f, -e, or -K option (or any
combination of these option) sets the default values for the respective
fields. See the -D option. Subsequent roleadd commands without the -D
option use these arguments.
The system file entries created with this command have a limit of 512
characters per line. Specifying long arguments to several options can
exceed this limit.
The role (role) field accepts a string of no more than eight bytes con‐
sisting of characters from the set of alphabetic characters, numeric
characters, period (.), underscore (_), and hyphen (-). The first char‐
acter should be alphabetic and the field should contain at least one
lower case alphabetic character. A warning message is written if these
restrictions are not met. A future Solaris release might refuse to
accept role fields that do not meet these requirements.
The role field must contain at least one character and must not contain
a colon (:) or a newline (\n).
OPTIONS
The following options are supported:
-A authorization
One or more comma separated authorizations defined
in auth_attr(4). Only a user or role who has grant
rights to the authorization can assign it to an
account
-b base_dir
The default base directory for the system if -d dir
is not specified. base_dir is concatenated with the
account name to define the home directory. If the
-m option is not used, base_dir must exist.
-c comment
Any text string. It is generally a short descrip‐
tion of the role. This information is stored in the
role's /etc/passwd entry.
-d dir
The home directory of the new role. It defaults to
base_dir/account_name, where base_dir is the base
directory for new login home directories and
account_name is the new role name.
-D
Display the default values for group, base_dir,
skel_dir, shell, inactive, expire and key=value
pairs. When used with the -g, -b, -f, or -K,
options, the -D option sets the default values for
the specified fields. The default values are:
group
other (GID of 1)
base_dir
/home
skel_dir
/etc/skel
shell
/bin/pfsh
inactive
0
expire
Null
auths
Null
profiles
Null
key=value (pairs defined in user_attr(4)
not present
-e expire
Specify the expiration date for a role. After this
date, no user is able to access this role. The
expire option argument is a date entered using one
of the date formats included in the template file
/etc/datemsk. See getdate(3C).
If the date format that you choose includes spaces,
it must be quoted. For example, you can enter
10/6/90 or October 6, 1990. A null value (" ")
defeats the status of the expired date. This option
is useful for creating temporary roles.
-f inactive
The maximum number of days allowed between uses of
a role ID before that ID is declared invalid. Nor‐
mal values are positive integers. A value of 0
defeats the status.
-g group
An existing group's integer ID or character-string
name. Without the -D option, it defines the new
role's primary group membership and defaults to the
default group. You can reset this default value by
invoking roleadd -D -g group.
-G group
An existing group's integer ID or character-string
name. It defines the new role's supplementary group
membership. Duplicates between group with the -g
and -G options are ignored. No more than
NGROUPS_MAX groups can be specified.
-k skel_dir
A directory that contains skeleton information
(such as .profile) that can be copied into a new
role's home directory. This directory must already
exist. The system provides the /etc/skel directory
that can be used for this purpose.
-K key=value
A key=value pair to add to the role's attributes.
Multiple -K options can be used to add multiple
key=value pairs. The generic -K option with the
appropriate key can be used instead of the specific
implied key options (-A and -P). See user_attr(4)
for a list of valid key=value pairs. The "type" key
is not a valid key for this option. Keys can not be
repeated.
-m
Create the new role's home directory if it does not
already exist. If the directory already exists, it
must have read, write, and execute permissions by
group, where group is the role's primary group.
-o
This option allows a UID to be duplicated (non-
unique).
-P profile
One or more comma-separated execution profiles
defined in prof_attr(4).
-s shell
Full pathname of the program used as the user's
shell on login. It defaults to an empty field caus‐
ing the system to use /bin/pfsh as the default. The
value of shell must be a valid executable file.
-u uid
The UID of the new role. This UID must be a non-
negative decimal integer below MAXUID as defined in
<sys/param.h>. The UID defaults to the next avail‐
able (unique) number above the highest number cur‐
rently assigned. For example, if UIDs 100, 105, and
200 are assigned, the next default UID number is
201. (UIDs from 0-99 are reserved for possible use
in future applications.)
FILES
/etc/datemsk
/etc/passwd
/etc/shadow
/etc/group
/etc/skel
/usr/include/limits.h
/etc/user_attr
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌────────────────────┬─────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├────────────────────┼─────────────────┤
│Interface Stability │ Evolving │
└────────────────────┴─────────────────┘
SEE ALSOpasswd(1), pfsh(1), profiles(1), roles(1), users(1B), groupadd(1M),
groupdel(1M), groupmod(1M), grpck(1M), logins(1M), pwck(1M),
userdel(1M), usermod(1M), getdate(3C), auth_attr(4), passwd(4),
prof_attr(4), user_attr(4), attributes(5)DIAGNOSTICS
In case of an error, roleadd prints an error message and exits with a
non-zero status.
The following indicates that login specified is already in use:
UX: roleadd: ERROR: login is already in use. Choose another.
The following indicates that the uid specified with the -u option is
not unique:
UX: roleadd: ERROR: uid uid is already in use. Choose another.
The following indicates that the group specified with the -g option is
already in use:
UX: roleadd: ERROR: group group does not exist. Choose another.
The following indicates that the uid specified with the -u option is in
the range of reserved UIDs (from 0-99):
UX: roleadd: WARNING: uid uid is reserved.
The following indicates that the uid specified with the -u option
exceeds MAXUID as defined in <sys/param.h>:
UX: roleadd: ERROR: uid uid is too big. Choose another.
The following indicates that the /etc/passwd or /etc/shadow files do
not exist:
UX: roleadd: ERROR: Cannot update system files - login cannot be created.
NOTES
If a network nameservice such as NIS or NIS+ is being used to supple‐
ment the local /etc/passwd file with additional entries, roleadd cannot
change information supplied by the network nameservice.
Feb 21, 2006 ROLEADD(1M)