You can define command rights to control who has permission to run specific commands in a zone. When you define individual command rights, you can also specify whether the commands can be executed in a non-restricted shell environment, a restricted shell environment, or both. After you define the command right, you can then add it to an appropriate role definition. It is then the role definition to which you add the command right that controls whether users can use the command in a standard, unrestricted shell environment or in a restricted shell environment.
If the role definition allows a non-restricted shell environment—like the UNIX Login role—the command right provides functionality similar to the UNIX sudo command except that it uses the role settings and the zone authorization store rather than through a sudoers configuration file.
If the role definition does not allow access to a non-restricted shell environment, the command right can only be used in a restricted shell environment and users assigned to the role can only execute the specific commands explicitly defined in command right.