Of course the privilege to change other peoples password can be encapsulated into a role, so you have an additional authentication by using the role password before you get such powerful privileges.
root@solaris:/etc# roleadd -A solaris.passwd.nocheck,solaris.passwd.assign pwchanger
root@solaris:/etc# passwd pwchanger
New Password: n1mn1mn1m
Re-enter new Password: n1mn1mn1m
passwd: password successfully changed for pwchanger
root@solaris:~# mkdir /export/home/pwchanger
root@solaris:~# chown -R pwchanger /export/home/pwchanger
root@solaris:~# chmod -R 700 /export/home/pwchangerNow we can assign this role to a user, for example to the user guru
root@solaris:~# usermod -R pwchanger guruNow let’s try to change the password of the user root. As you would expect, the user guru has an assigned role of pwchanger as we just assigned it.
guru@solaris:~$ roles
pwchanger
guru@solaris:~$ passwd root
Permission deniedYou have to change into the role first using the role password, which isn’t user userpassword except you configure it this way.
guru@solaris:~$ su - pwchanger
Password: n1mn1mn1m
-bash-5.0$ passwd root
New Password:
Re-enter new Password:
passwd: password successfully changed for root
-bash-5.0$ exitWhen you are leaving the role, you are losing the privilege of the role, im this case the privilege to change passwords.
guru@solaris:~$ passwd root
Permission denied
guru@solaris:~$The whole process is put into the audit log:
header,97,2,role login,,solaris,2021-04-10 16:03:34.065+00:00,subject,guru,pwchanger,staff,pwchanger,staff,5996,1615101428,151 3 10.0.2.2,return,success,0
header,134,2,passwd,,solaris,2021-04-10 16:03:47.935+00:00,subject,guru,root,sys,pwchanger,staff,6004,1615101428,151 3 10.0.2.2,user,0,root,use of authorization,solaris.passwd.assign,return,success,0
header,167,2,privileged execution,,solaris,2021-04-10 16:03:47.935+00:00,path,/usr/bin/passwd,path,/export/home/pwchanger,exec_args,2,passwd,root,use of privilege,successful use of priv,ALL,subject,guru,root,sys,pwchanger,staff,6004,1615101428,151 3 10.0.2.2,return,success,0
header,97,2,role logout,,solaris,2021-04-10 16:04:50.251+00:00,subject,guru,pwchanger,staff,pwchanger,staff,5996,1615101428,151 3 10.0.2.2,return,success,0