Snipped from openindiana-discuss IRC channel on August 30th, 2016
[12:34:58] <nikolam> pfexec uses RBAC (Role based acces control) with just enough rights given to user to perform exact task.
[12:35:34] <nikolam> That can be used to fine-grain user access, instead of sudo all or nothing
[12:35:53] <nikolam> RBAC roles are set in /etc/user_attr
[12:36:31] <dansimon> nikolam: Ah, thanks! I heard a talk from Ian Murdock speaking about this...
[12:37:24] <nikolam> Pay attention if user has "Primary Administrator" role and pfexec does NOT ask for password, it is best to give that role , if needed, to separate account form one used for desktop access
[12:37:52] <nikolam> yes, also Linus asked for something like that :)
[12:38:39] <nikolam> alternatively, one can start setting up roles with 'sudo users-admin'
[12:39:30] <nikolam> If right role is set for admin user, then one gets asked when starting some tools for role password, not root password. :P
[12:40:06] <nikolam> by default root password does not work nor needed :P (S11 even disabled root user)
[12:47:55] <nikolam> If one knows what he/she is doing, using separate account for admin, then one saves itself from re-entering of password, with pfexec :P
To give someone a role, can do something like this:
usermod -P 'Primary Administrator' <username>