Hey! I'm trying to create RBAC for a role to use `vmadm`. For safety, I've created a wrapper script and a profile for this script with euid and egid set to 0 which is added to a new role with just this profile. whenever I try to pfexec the wrapper with this role I get that the error that the user is not root. Am I doing this profile wrong or how

can I run a vmadm command without using root?

Using ppriv -eD I get the following output:

```

vmadm[27366]: missing privilege "file_dac_search" (euid = 24334, syscall = 215) needed at ufs_iaccess+0x9f

vmadm[27366]: missing privilege "file_dac_search" (euid = 24334, syscall = 215) needed at ufs_iaccess+0x9f

vmadm[27366]: missing privilege "file_dac_search" (euid = 24334, syscall = 215) needed at ufs_iaccess+0x9f

FATAL: cannot run because: you are not root.

```

Guest20 maybe you should give the user something like solaris.zone.manage

The profile Zone Management?

Guest20: In /etc/security/exec_attr, do something like `exec_attr:<Role Name>:solaris.cmd:::<path to command>: privs=file_dac_search`

Already did the privs and I'm getting the same error weirdly (missing privilege)

I believe you can make the command your wrapper, and vmadm will inherit the permission when executed from within the wrapper.

Yes, I'm adding the wrapper as the command and using uid 0 and privs file_dac_search but I'm getting the error either way. I've also added the profile ZOne Management to the role just now and got the same error

Guest20: Show me the rbac entries that you added for this and I'll figure out what's not working.

You can /msg them to me.

Also, I have an errand to run so I'll be away for a few hours. But I can take a look at it when I get back.

I've been meaning to write a proper RBAC guide for docs.smartos.org anyway.

Will do, thank you