Define the right for switching to a service account

The steps for defining a right for switching to the service account user are similar to defining the rights for the root-equivalent user, but the definition is more restrictive.

To define a right for switching to a service account:

  1. Open Access Manager.
  2. Expand Zones and the individual parent or child zones required to select the zone name where you want to create the new command right.
  3. Expand Authorization > UNIX Right Definitions.
  4. Select Commands, right-click, then click New Command.
  5. On the General tab, type a name for this command right and, optionally, a description for this right, then define the right to switch to the service account. For example, if the service account is oracle:

    • Type su - oracle in the Command field.
    • Verify the Standard user path is selected.
  6. Click the Restricted Shell tab, under Can be used in a restricted role, select Specific user or uid, then type root.

  7. Click the Run As tab, deselect Can be used by dzdo.

    These settings specify that this right can only be used in a restricted shell environment and users can only run the commands that are explicitly allowed in the restricted role they are assigned. If this is the only right defined for a role, the only command users assigned to the role can run is su - oracle. For a role definition with this right to be effective, you would add command rights for the specific database operations users should be allowed to perform after switching to the oracle service account. For example, if the oracle service account is used to run a backup-all-dbs script, you would add a right to allow the execution of that script.

  8. Click OK to use the default environment variable settings and command attributes.

    Alternatively, you can click the Environment and Attributes tabs if you want to view or set additional properties for this right definition.