Role Accounts
A role account is a user account shared with one or more users as members, such that all group members share the account equally via the use of sudo, typically for the unified use of a project. Role accounts must have a name that reflects their project association or function. All changes to a role account must be submitted via the helpdesk by sending email to rdhpcs.aim.help@noaa.gov with the subject line: “Role account changes - Role.Account.Name.Here”. All changes require PI approval.
Accessing a Role Account
You can access any role account if you are a member of the account. Use sudo with your RSA token to gain access. For example:
jsmith# sudo su - roleuser Access is via First.Last username only. Enter RSA PASSCODE: bash-4.1$ whoami roleuser
Your RSA passcode is your PIN+Token code.
X Applications With Role Accounts
If you are planning to use X utilities with role accounts, you should use the xsudo utility to switch to the role account instead of using the “sudo” command directly. You need to explicitly set the DISPLAY environment variable after doing the xsudo to the role account. So for example, if you want to use role.rap-chem role account and would like the ability to use X applications:
Note the
DISPLAY
environment variable in your current session before doing the xsudo to the role account:
$ echo $DISPLAY
Use the
xsudo
command to switch to the role account:
$ xsudo role.rap-chem
Set the
DISPLAY
environment variable to the value you obtained above just before doingxsudo
.$ export DISPLAY=localhost:14.0
$ setenv DISPLAY localhost:14.0
This will enable your X applications.
Using CRON
Since Role accounts are shared by multiple users in a project, the project members need a way to know which member is responsible for which section of the cron entries. The person responsible for the section of a cron entry of a role account should use the following guidelines:
At the beginning of the section:
Add a comment about the who is adding these cron entries
Add a comment about when this entry was added
Add a comment about an end date if applicable
Add other comments as needed to document the purpose
Add a
MAILTO=First.Last@noaa.gov
at the beginning of the sectionAdd a
MAILTO=
at the end of the section so that whoever is responsible for the next section sets their own MAILTO filed.
Note
Without the MAILTO
directive, any errors/logs from the cron
commands end up getting lost and one may never know there was a
problem/failure!