Both of these applications are unprivileged rad(8) clients. They provide remote administration by connecting to local or remote RAD servers. Two RAD modules, usermgr(3rad)and labelmgr(3rad), provides the underlying functionality. The man pages for these RAD modules are included in the webui-usermgr package. The security policies for account management are enforced in these RAD modules, not in the clients. Although the initial user account that is created during installation has the System Administrator rights profile, only a a subset of rights can be delegated to other accounts. These RAD clients only show the attributes that are may be delegated by the current user. Since useradm is started from the command line, it can be invoked after assuming the root role. But the Solaris Dashboard does not currently provide an interface for role assumption. So if you want to be able to assign arbitrary attributes to users and roles, you will need to login with a user account that has been assigned the authorization solaris.*.
The User Account Manager that is available with the beta release of Oracle Solaris 11.4 has a couple of bugs. The most serious bug needs to be addressed before using the application using the following workaround:
- After installing the webui-usermgr package, assume the root role
- cd /usr/lib/webui/htdocs/solaris/apps/usermgr/viewmodel
- Edit the file u_vm_addRemoveItems.js
- In line 265, change the pair of single quotes to a pair of square brackets. That is, change: ''); to );
This fix is necessary for checkboxes to be cleared when items are added to the account.
There is another bug with an easy workaround. When exiting the User Account Manager, you need to click the selection twice, since the first one isn't handled properly.
Another small bug may be visible the first time one of the label selection dialogs (Minimum Label or Clearance) is selected. If the radio buttons are not aligned properly, simply refresh the dialog by switching momentarily to the other label selection dialog, and then switching back. The following image shows how to assign the clearance to a user using the labels that I described in Protecting Sensitive Data in Oracle Solaris 11.4.
Here's the equivalent interface using useradm:
As the developer of these applications, I'd be interested in your feedback. But as I am now retired, Oracle support is now the responsible party.