Profile shell scripts behave differently when invoked by normal users than they do for administrative roles.
A shell script that invokes the profile shell can be executed by normal users on the command line in any shell.
If the user has All Commands in a profile, the name of the profile shell script does not need to be explicitly added to any of the user's profiles.
The commands in the profile shell script must be in one of the user's rights profiles, or the user needs the All Commands profile. Commands that need privilege must be assigned the required privileges in the profile.
A profile shell script ( using #!/bin/pfsh or any other profile shell) must always be run in a profile shell.
Roles cannot execute the profile shell from the command line or from a shell script (or bring up a GUI) without the trusted path.
A role must have the name of any script using a profile shell explicitly listed in the Custom role_name Profile or another rights profile for the trusted path to be available. (For ease in troubleshooting, we recommend using the Custom role_name Profile for all customizations to a role's rights.)
As is true for normal users, any commands in the profile shell script also need to be in one of the role's profiles.