By default:
Without privilege, a normal user cannot use the su command to become another user - unless that normal user has the password to the other account. If that is not true then something is seriously wrong with your security setup. With Solaris 10 & 11 RBAC it would, in theory, be possible to set up this scenario - but do not do that. On Solaris 11 you can create a root role, for example then give that role to everyone on the system. Bad idea.