The recent Solaris version, at this time Solaris 11.1 SRU 12.5, even support the newer and more manageable /etc/pam.d structure in alternative to the traditional monolithic /etc/pam.conf.
My favorite use case is the following entries in /etc/pam.d/other:
account requisite pam_roles.so.1
account required pam_unix_account.so.1
account required pam_list.so.1 allow=/etc/users.allow
Where /etc/users.allow contains:
root
local_login
remote_login
@netgroup
The pam_list(5) man describe more options, including the possibility of considering roles, which as ignored by default, in addition to logins. In particular, I see the possibility of referencing a netgroup as a very flexible and powerful feature.
NOTE
After saving changes to /etc/users.allow it may take a little while for the module to reflect the changes, that is, it is not immediate.
