Functional ID and Script Creation

I am using “Mark's HTTP Super SIDEBAND Requestor” to call a bash script. The iRule includes the following:

set sts [call /Common/HSSR::http_req  \
    -uri "https://127.0.0.1/mgmt/tm/util/bash/" \
    -userid admin \
    -passwd adminpassword \
    -virt /Common/vs-HSSR-helper \
    -method "POST" \  
    -body "{\"command\":\"run\",\"utilCmdArgs\":\"-c '/home/david/script.sh -a $csr_adname -e $csr_email … -x $csr_adname_encrypt'\"}" \  
    -rbody rbody]  

This build is in a lab so right now the script is in my home directory. The call to the virtual also includes the userid and password for admin. Everything works great but I am sure this is not the best practice.

I am guessing the best thing to do is to create a functional account instead but I would like to further lock it down so that it cannot be used to connect to the box externally – is this possible? For example, can I create an account called “fid” in such a way that “fid” can be used above as the userid for the call to the virtual but make it so that a person cannot login to the management interface (GUI as well as SSH) using “fid”? If not is there anything that can be done to cache or hide the password? (I would rather not be passing around QKViews that have an iRule with an Admin password in clear text.)

Next, where is the best place to store the script that is currently located in /home/david/script.sh? Is there a standard such as /home/fid/scripts or perhaps some other directory? (Sorry, I’m not a sysadmin and I would like to do this properly.)

Thanks,

David

APM 11.5.3