Roles and rights for migrated users

The admigrate utility adds the following role definitions for migrated users:

  • login_at_roles assigns the UNIX system rights Password login... and Non‑password login. It does not assign Login with non-Restricted Shell because the user may be assigned to a restricted shell.
  • login_all_apps assigns the login-all PAM right, which grants access to all PAM applications. It does not assign any UNIX system rights.

By default, all users are added to the login_all_apps role so that if they are granted login rights, they have access to all PAM applications, which is the default for users in classic zones. If PAM access rights are restricted by another role assignment, the restricted role assignment will override the rights granted by login_all_apps.

Access uses the following role-assignment rules when migrating roles and rights from a classic zone to a hierarchical zone:

Classic zone Enabled or disabled Role assignment in hierarchical child zone

User assigned to role

Enabled

Assign to the following roles:

login_at_roles, which grants Password login and Non‑password login UNIX system rights.

login_all_apps, which grants access to all PAM applications.

Corresponding user-created roles, which are migrated.

User assigned to role

Disabled

Assign to corresponding user-created roles, which are migrated. No login roles are assigned because the user is disabled in the classic zone.

User not assigned to role

Enabled

Assign to the default UNIX Login role, which grants all UNIX system login rights and access to all PAM applications.

User not assigned to role

Disabled

Assign to the default listed role, which makes the user visible in the zone but does not assign any UNIX system rights or PAM access rights.

In classic zones, users who are added to a zone are enabled for login access by default. As an administrator, you can leave a user profile defined in a zone but disable login access.

All the roles and rights you defined in the source zone, as well as any role assignments to user-created roles, are added, as-is, to the child zone each time you run admigrate. For example, if you defined a privileged mount command in 20 classic zones, admigrate will copy that mount command to 20 new hierarchical zones. Therefore, after migration you should analyze your role definitions and access right definitions to see if some of them can be moved up to the parent zone to take advantage of inheritance.

Assigning the audit level when migrating

In hierarchical zones, role definition can be assigned an auditing level. This setting is not applicable in classic zones.During migration from classic zones to hierarchical zone, the default “Audit if possible” auditing level, is assigned to all migrated role definitions. After you have migrated, you can change the auditing level in any role definition. For more information about changing the auditing level for a role definition, see Changing the audit level for role definitions.