OpenIndiana and illumos use authorisation mechanism based on system roles:
Role Based Access Control (RBAC). To make a very short introduction, RBAC defines roles and profiles that have assigned privileges (authorisations) regarding use of commands. Something like sudo, at the first sight. Those roles and profiles can be assigned to concrete users. The first difference from sudo is simply cosmetic. Instead of invoking 'sudo' in front of privileged command, one invokes 'pfexec'. The second difference is strictly work based. RBAC (pfexec) comes with multitude of profiles and roles ready to be used.
Third difference lays in profiled shells, ie. pfsh. If a user is assigned a profile and given a profiled shell, they will be able to invoke only commands which are assigned to said profile, but without using the pfexec keyword.
Fourth difference are roles. Roles are basically user accounts that cannot be logged into directly. One has to use su command to log into the roles. Also, user can only logged into the role which has been assigned to them.
Fifth difference is big. RBAC reaches deeply in structure of OpenIndiana, down to special kernel structures. This, along with rbac programming libraries, allows to implement very fine grained security into programs written. So, a fragment of code can check, if invoking user has, say, authorisation to write to log files, and then do some action.
Authorisations are defined in a system file /etc/security/auth_attr.
Users get profiles, roles and authorisations assigned in a file /etc/user_attr. While you can assign a role, profile or authorisation to user by editing said file, you are encouraged to use commands, that are explained below.
Commands are guaranteed not to break the file. It is important to understand, that broken profile in /etc/user_attr may render user unable to user any privileged commands, login to root account and so on.
Authorization definitions are written in a file /etc/security/prof_attr.
And the most important, I think - definitions of privileged operations assigned to profiles are written in a file /etc/security/exec_attr.
Commands assigned to security profile are listed in /etc/security/exec_attr. A file /etc/security/auth_attr is the mechanism for implementing rbac in applications. A code can do a check against any authorization listed in the file and if a user is assigned one, application may take certain actions.
Managing RBAC is nased on few commands.
rolemod and usermod overwrite assigned privileges. If one wants to assign a profile Software Installation to user that already has Primary Administrator, usermod line looks like that:
pfexec usermod -P "Primary Administrator,Software Installation" username
TBD: detaild commands explanation.