The pam_apparmor PAM module allows applications to confine authenticated users into subprofiles based on group names, user names, or default profile. To accomplish this, pam_apparmor needs to be registered as a PAM session module.
Details about how to set up and configure pam_apparmor can be found in
/usr/share/doc/packages/pam_apparmor/README
. A HOWTO
on setting up role-based access control (RBAC) with pam_apparmor is
available at
http://developer.novell.com/wiki/index.php/Apparmor_RBAC_in_version_2.3.