Question:
How can an Active Directory account be configured such that the account does not have login rights to a target machine, but other accounts are allowed to "su" to this account?
Answer:
In this example, the su-only account is a service account named cfy-srv-account.
1) In Access Manager, create the user profile in the desired zone for cfy-srv-account.
2) Create the PAM Access Right. In this example, the right is named "su-only".
Access Manager -> <Go to the Zone> -> Authorization -> Unix Right Definitions -> PAM Access -> Add PAM Access Right
3) Create a Role Definition that has this right. It must also have a login system right and "user is visible" right. In the example, the Role is named "su only"
Access Manager -> <Go to the Zone> -> Authorization -> Role Definitions -> Add Role
4) Add the "su-only" right that was created in Step 1 to the "su only" Role
5) Assign the role to the target service user, cfy-srv-account.
6) Be sure to flush the cache on the target machine to see the changes
Before the role assignment, root cannot su to user "cfy-srv-account"

After the role assignment, root CAN su to cfy-srv-account

User cfy-srv-account cannot login over ssh
