The default UNIX Login role allows users to log on using a password or without a password in an unrestricted environment. If you are creating a role definition for a service account, you can use PAM access rights to control the specific PAM-enabled applications users can use to log on. To illustrate controlling how users log on, this example of a restricted role for the oracle service account only allows users to log on with ssh.
To define a PAM access right for a specific application:
- Open Access Manager.
- Expand Zones and the individual parent or child zones required to select the zone name where you want to create the new PAM right.
- Expand Authorization > UNIX Right Definitions.
- Select PAM Access, right-click, then click Add PAM Access Right.
Type a name and, optionally, a description of the PAM application for which you are adding an access right.
For the Application field, type the platform-specific name for the PAM application as defined in the PAM configuration file or PAM directory. For example, type ssh or sshd. You can also use wildcards in this field to perform pattern matching for the application name.
Click OK to save the access right for this PAM-enabled application.