swrole Command

Edit online

Purpose

Switches to a specified role session.

Syntax

swrole { ALL | Role [ ,Role ] ... } [ Argument … ]

Description

The swrole command creates a new role session with the roles that is specified by the Role parameter. The Role parameter must be composed of the names of roles in the roles attribute of the user. Before creating a new role session, the swrole command performs authentication according to the auth_mode attribute of the chrole command for the specified roles. If any of the specified roles requires authentication, the user must be successfully authenticated for the action to be performed. If none of the specified roles require authentication, no authentication is requested.

The swrole command creates a new role session with the specified roles added to the active role set of the session. The ALL keyword specifies that a role session is created with all the roles that are assigned to the user. Role sessions are limited to eight roles per session. If a user has more than eight roles, only the first eight roles are assigned to the role session when the ALL keyword is specified. Creation of a new role session preserves the user environment for the current session.

Any argument, such as a flag or a parameter, which is specified by the Arguments parameter, must relate to the login shell that is defined for the user. The arguments are passed to the login shell that is created for the role session. For example, if the login shell for a user is /usr/bin/ksh, any of the flags that are allowed for the ksh command can be specified.

To restore the previous session, type exit or press the Ctrl-D. The action ends the shell created by the swrole command and returns the user to the previous shell and environment.

Each time the swrole command is run, an entry is made in the /var/adm/rolelog file. The /var/adm/rolelog file records the following information: date, time, system name, login name and role name. The /var/adm/rolelog file also records whether or not the role initiation attempt is successful: a plus sign (+) indicates a successful role initiation, and a minus sign (-) indicates an unsuccessful role initiation.

The swrole command is functional only when the system is operating in enhanced Role Based Access Control (RBAC) mode. If the system is not in enhanced RBAC mode, the command displays an error message and returns failure.

Examples

  1. To assume the RoleAdmin and FSAdmin roles as a user who has been assigned the roles, enter the following command: 
    swrole RoleAdmin,FSAdmin
  2. To run the backup command as a role that has the appropriate authorization, enter the following command: 
    swrole FSAdmin "-c /usr/sbin/backup -9 -u"