After you define the role for the service account, you can create a UNIX profile for the service account. In most cases, you should define the UNIX profile for service accounts using machine-level overrides, rather than defining them for zones. Defining profiles for service accounts using machine-level overrides has the following advantages:
- Profile attributes are not affected the Zone Provisioning Agent. Most service accounts require specific UID and GID values. By specifying these values using a machine-level override, you don’t have to worry about them changing when the Zone Provisioning Agent runs.
- You can explicitly identify which computers the service account can run on. If you define the UNIX profile for a service account in a zone, all of the computers in the zone are available to the same service account. If you define the UNIX profile using machine‑level overrides, the service account only runs on computers where it has a profile and the profile attributes for the service account can be different on different computers in the same zone.
- You can restrict the scope of the role assignments on a computer-by-computer basis. By defining the UNIX profile using machine-level overrides, you can configure different service account owners for development, testing, and production computers in the same zone.
If the profile attributes are consistent across most of the computers in a zone and the service account should run able to run on all of those computers, you can define all or part of the UNIX profile for the parent or child zone to reduce the management of profile attributes on individual computers. However, if the legacy accounts had different attributes on different computers, it is typically best to use machine-level overrides.
- Start Access Manager.
- In the console tree, expand Zones and the top-level parent zone.
- Expand the Child Zones node, select a specific child zone and expand it to display the Computers node.
- Select computer for which you want to define machine-level overrides, right-click, then click Add User.
- Click Browse to search for and select the Active Directory user account for the service, then click Next.
- Select Define user UNIX profile and Assign roles, then click Next.
Select and define the attributes in the UNIX profile for the service account, then click Next.
You can use inherited default values for any of the attributes from the default values specified for the zone or selectively override the default values for any of the attributes. For example if you define user defaults using runtime variables in the zone, you can use the inherited values for the Login name, GECOS field, Home directory, and Shell and explicitly define the UID and primary GID for the service account profile.
- Select the default UNIX Login role, click Remove, then click Add.
- Click Browse, select the role you created for the service account, then click OK.
- Click OK to accept the default start and end times for the role assignment, then click Next.
- Review your selections, click Next, then click Finish.