Create a restricted role definition for the service account
After you have defined the rights that allow a user to log on using a PAM-enabled application and run the su - command for a service account, you can create a role definition for these rights. You must create a role definition somewhere in the zone hierarchy before you can assign users to the role.
To create a restricted role definition for switching to a shared service account:
- Open Access Manager.
- Expand Zones and the individual parent or child zones required to select the zone name where you want to create the new role definition.
- Expand Authorization.
- Select Role Definitions, right-click, then click Add Role.
Type a name and description for the new role, then click OK.
For example, type a name such as oracle_service and descriptive text such as Users with this role can start a secure shell session and switch to oracle.
By default, this role is available at all times. You can click Available Times if you want to specify days of the week or select times of the day for making the role available.
Click the System Rights tab and select at least one option that allow users assigned to this role definition to log on, then click OK.
In this example, users open a secure shell to switch to the service account so you might select Non-password (SSO) login is allowed.
If a service account instead of a user account is used to log on, it might be mapped to a disabled Active Directory account. In this case, you might select the Account disabled in AD can be used by sudo, cron etc system right to ignore the disabled state and allow the service account to log on.
- Select the new role definition, right-click, then click Add Right.
- Select the rights you defined for running the switch user (su -) command and logging on with the PAM application ssh, then click OK.