Defining role-based access rights

Role-based access rights are more flexible than UNIX group membership rights and easier to define than user specifications in a sudoers configuration file. Role-based access rights can be narrowly applied or broadly inherited across any number of computers. You can restrict when role-based rights can be used by defining roles that are available only on certain days of the week or only during specific hours of the day. You can also make role assignments temporary by setting a date and time for the assignment to start or expire. For example, you might given the user Jonah elevated privileges to run administrative commands in the Backup Operators role for a period of two weeks while the primary backup administrator is on vacation.

Role-based access rights also prevent password sharing for privileged accounts, helping to ensure accountability. Users who need to run privileged commands can either temporarily elevate their privileges in an unrestricted login shell or be required to run the commands in a tightly controlled restricted shell without being prompted to provide the administrative password. All of their privileged or restricted shell activity can be traced to the account they used to log on.