Starting with Solaris 8, the RBAC facility allows for users which cannot log in but which can be su'ed to. These user accounts are known as "roles". See user_attr(4) and rbac(5)