Let's say you have your in-house developed applications under SMF. Now you want to give some users (non-root) ability to restart those applications but only those applications. You do not want to give any other privileges. With SMF it's really easy. You can do it per application instance or for entire group, etc.
1. Add new authorization
# grep ^wp /etc/security/auth_attr wp.applications:::Manage WP applications::
2. Add new property to each SMF service you want to give access to restart/enable/disable
# svccfg -s wpfileback setprop general/action_authorization = astring: wp.applications
With only that property user won't be able to change service status permanently - he/she will be able to
restart or temporarily disable/enable given service (wpfileback in above example). If you want to give
ability to permanently change service status you also need to add:
# svccfg -s wpfileback setprop general/value_authorization = astring: wp.applications
3. Add new authorization to user
# usermod -A wp.applications operator
You can also manually add authorization by editing /etc/user_attr. After above command the fill is:
# grep operator /etc/user_attr operator::::type=normal;auths=wp.applications
Now if you login as user operator you will be able to disable/enable/restart application wpfileback.
Additionally it's useful to give for example developers not only ability to restart their application but also to use dtrace. In order to achieve it add two privileges to user.
# grep operator /etc/user_attr
Now user operator not only can restart/stop/start its application but also can use dtrace to find problems.
There're also many authorizations and profiles which come with Solaris by default. For example if you add for given user profile 'Service Operator' then you give ability to restart/enable/disable all SMF applications.
All of these possibilities without giving her/him root account.
For more information see smf_security(5) rbac(5) privileges(5)