I've just discovered a very cool and useful feature built into Solaris 11: Zone Delegation. Zone Delegation is the ability to configure your system so that specific global zone users can administer only specific non-global zones using Role Based Access Control (RBAC). This means you don't need to use an all-or-nothing approach like assigning users full system administration privileges or complete zone administration privileges.

The data for the zone delegation can be stored with the zone when you configure it using zonecfg(1M) - see the "admin" resource in the man page - or you can use RBAC profiles as you normally would and store these locally or on your name service of choice, for example NIS or LDAP.

For example lets say we have zones named zoneA through zoneF and we have three admins alice, bob, carl. We want to grant a subset of the zone management to each of them.

We could do that either by adding the admin resource to the appropriate zones via zonecfg(1M) or we could do something like this with RBAC data directly:

# usermod -P +Zone Management -A +solaris.zone.manage/zoneA alice
# usermod -A +solaris.zone.login/zoneB alice

# usermod -P +Zone Management-A +solaris.zone.manage/zoneB bob
# usermod -A +solaris.zone.manage/zoneC bob

# usermod -P +Zone Management-A +solaris.zone.manage/zoneC carl

# usermod -A +solaris.zone.manage/zoneD carl
# usermod -A +solaris.zone.manage/zoneE carl
# usermod -A +solaris.zone.manage/zoneF carl

In the above alice can only manage zoneA, bob can manage zoneB and zoneC and carl can manage zoneC through ZoneF. The user alice can also login on the console to zoneB but she can't do the operations that require the solaris.zone.manage authorisation on it.

Or if you have a large number of zones and/or admins you could collect the authorisation lists into an RBAC profile and grant that to the admins eg:

# profiles -p 'Zone Group 1'
profiles:Zone Group 1> set desc="Zone Group 1"
profiles:Zone Group 1> add profile="Zone Management"
profiles:Zone Group 1> add auths=solaris.zone.manage/zoneA
profiles:Zone Group 1> add auths=solaris.zone.login/zoneB
profiles:Zone Group 1> commit
profiles:Zone Group 1> exit

# profiles -p 'Zone Group 3'
profiles:Zone Group 1> set desc="Zone Group 3"
profiles:Zone Group 1> add profile="Zone Management"
profiles:Zone Group 1> add auths=solaris.zone.manage/zoneD
profiles:Zone Group 1> add auths=solaris.zone.manage/zoneE
profiles:Zone Group 1> add auths=solaris.zone.manage/zoneF

profiles:Zone Group 1> commit
profiles:Zone Group 1> exit

Now instead of granting carl the three authorisations directly we can just give the 'Zone Group 3' profile.

# usermod -P +'Zone Group 3' carl

If we wanted to store the profile data and the profiles granted to the users in LDAP just add '-S ldap' to the profiles and usermod commands.

Credit goes to Darren Moffat for this great explanation (with a bit of modification by me for this post) sent on an internal email alias this morning.

Update: BLAST!!! Just as I go to update this post to link to Darren's blog, I discover Darren has posted his email into a blog post himself this morning - Delegation of Solaris Zone Administration. Hope you don't mind Darren. Just spreading the news.