Creating ESM resources

The product uses external security manager's (ESM) generic resource profiles to control access to the following:

  • Browser interface
  • Access to the product
  • Specific functions

As a security administrator, you can control product access in the relevant ESMs.

Related topic

Installing

ESM profiles

The following definitions control access to the products and the initial menu selection available. By default, resources are defined in the FACILITY class. If you add resources to a class other than FACILITY, specify the class in the ClassName parameter in the configuration member.

The required profiles depend on the product features that are in use, but as a minimum, all users who have access to the browser-based applications must have READ access to RSM.RSS.LOGIN.

Parameter

Description

RSM.RSS.LOGIN

READ access

Access is required for all users who are authorized to log in to the HTTP interface.

RSM.RSS.TOOLS

READ access

Access is required for all users who are authorized to use the Tools features. Users can use the Tools features to issue commands and drive SPM REXX from the browser.

RSM.RSS.SPM

READ access

When more than one product from the RSS family of products is installed, this access enables the application to appear in the product selection screen after logging in.

RSM.RSS.BATCH

READ access

Access is required for all users who need to run the ZDTBATCH batch utility. For RACF and TSS, you must specify the access.

BMC.RSS.SPMCOMP

READ access or UPDATE access

READ enables users to view compliance queries from the browser.

UPDATE enables users to change compliance queries from the browser.

BMC.RSS.SPMIMPRT

Import a custom table

BMC.RSS.SPM

READ access

Access is required for all users who need to run the ZDTBATCH batch utility. For RACF and TSS, you must specify the access.

To control access to the product

Use the following examples as a guide to control access to the relevant ESM:

Examples of RACF profiles

The following code blocks are examples of syntax for RACF profiles.

RDEFINE FACILITY RSM.RSS.LOGIN owner(<owner>)
RDEFINE FACILITY RSM.RSS.TOOLS owner(<owner>)
RDEFINE FACILITY RSM.RSS.SPM   owner(<owner>)
RDEFINE FACILITY RSM.RSS.BATCH owner(<owner>)

PERMIT RSM.RSS.LOGIN CLASS(FACILITY)  ID(<userID>) ACCESS(READ)
PERMIT RSM.RSS.TOOLS CLASS(FACILITY)  ID(<userID>) ACCESS(READ)
PERMIT RSM.RSS.SPM   CLASS(FACILITY)  ID(<userID>) ACCESS(READ)
PERMIT RSM.RSS.BATCH CLASS(FACILITY)  ID(<userID>) ACCESS(READ)

SETROPTS REFRESH RACLIST(FACILITY)


RDEFINE FACILITY BMC.RSS.SPMCOMP  owner(<owner>)
RDEFINE FACILITY BMC.RSS.SPMIMPRT owner(<owner>)
RDEFINE FACILITY BMC.RSS.SPM      owner(<owner>)

PERMIT BMC.RSS.SPMCOMP  CLASS(FACILITY) ID(<userID>) ACCESS(UPDATE)
PERMIT BMC.RSS.SPMCOMP  CLASS(FACILITY) ID(<userID>) ACCESS(READ)
PERMIT BMC.RSS.SPMIMPRT CLASS(FACILITY) ID(<userID>) ACCESS(READ)
PERMIT BMC.RSS.SPM      CLASS(FACILITY) ID(<userID>) ACCESS(READ)

SETROPTS REFRESH RACLIST(FACILITY)

Replace the following placeholders:

  • <owner>—RACF owner for the resource
  • <userID>—RACF user identifier that is granted access to the product

Example of TSS definitions

The following code blocks are examples of syntax for TSS definitions.

TSS ADDTO(MASTER) IBMFAC(RSM.RSS.)  
TSS PERMIT(<userID>) IBMFAC(RSM.RSS.LOGIN) ACCESS(READ)
TSS PERMIT(<userID>) IBMFAC(RSM.RSS.TOOLS) ACCESS(READ)
TSS PERMIT(<userID>) IBMFAC(RSM.RSS.SPM)   ACCESS(READ)
TSS PERMIT(<userID>) IBMFAC(RSM.RSS.BATCH) ACCESS(READ)


TSS ADDTO(MASTER) IBMFAC(BMC.RSS.)  
TSS PERMIT(<userID>) IBMFAC(BMC.RSS.SPMCOMP)  ACCESS(UPDATE)
TSS PERMIT(<userID>) IBMFAC(BMC.RSS.SPMCOMP)  ACCESS(READ)
TSS PERMIT(<userID>) IBMFAC(BMC.RSS.SPMIMPRT) ACCESS(READ)
TSS PERMIT(<userID>) IBMFAC(BMC.RSS.SPM)      ACCESS(READ)

Replace the <userID> placeholders with the TSS user identifier that is granted access to the product.

Important

To use TSS with BMC AMI Security Policy Manager, see Installing the Top Secret installation exit TSSINSTX for SPM.

Example of ACF2 rules

The following code blocks are examples of syntax for ACF2 rules.

$KEY(RSM) TYPE(FAC)
$USERDATA(BMC AMI Security Policy Manager)
RSS.LOGIN    UID(<userID>) SERVICE(READ) ALLOW
RSS.TOOLS    UID(<userID>) SERVICE(READ) ALLOW
RSS.SPM      UID(<userID>) SERVICE(READ) ALLOW
RSS.BATCH    UID(<userID>) SERVICE(READ) ALLOW
- UID(NOACCESS) PREVENT
- UID(*) PREVENT


$KEY(BMC) TYPE(FAC)
$USERDATA(BMC AMI Security Policy Manager)
RSS.SPMCOMP  UID(<userID>) SERVICE(UPDATE) ALLOW
RSS.SPMCOMP  UID(<userID>) SERVICE(READ) ALLOW
RSS.SPMIMPRT UID(<userID>) SERVICE(READ) ALLOW
RSS.SPM      UID(<userID>) SERVICE(READ) ALLOW
LOG
- UID(NOACCESS) PREVENT
- UID(*) PREVENT

Replace the <userID> placeholders with the ACF2 user identifier portion of the UID that is granted access to the product.

Installing the Top Secret installation exit TSSINSTX for SPM

To use CA Top Secret (TSS) resources, BMC AMI Security Policy Manager requires use of the Top Secret installation exit (TSSINSTX) to capture events that happen within a Top Secret protected system. SPM captures all Top Secret commands that are entered and any password changes that occur through the TSSINSTX exit.

If your site does not currently use TSSINSTX, you can use the sample exit provided in the RSSSAMP library. BMC supplies a sample exit that utilizes a macro, ECIDYNX, which dynamically loads the exit code that is required for effective SPM operation.

If your site uses TSSINSTX, it requires a modification for BMC code to be called. You must insert the supplied ECIDYNX macro into your site’s TSSINSTX.

BMC supplies exits designed to be pseudo-dynamically loaded. The ECIDYNX macro calls a dynamically loaded exit loaded by the master address space. After you apply maintenance to SPM, which involves changes to exit routines, only the master address space needs to be restarted to activate the new exit code.

Using the ECIDYNX macro

Use the ECIDYNX macro to call the supplied exit routines from an existing exit routine.

Use the following statement:

ECIDYNX  NAME=TSSINSTX,TOKEN=RSMZDTEC

The statement uses the following values:

  • TSSINSTX is the name of the exit to be called.
  • RSMZDTEC is the name of the master address space token.

The ECIDYNX macro requires Register 1 to point to the original parameter list supplied by TSS when the exit was called.

Linkage

System exits that invoke the ECIDYNX macro must include ECIMSTXT from RSSLOAD.

Example

The full code for a sample exit is supplied in the RSSSAMP data set, in the TSSINSTX member.

Add the following code to the existing TSSINSTX exit routine after the matrix code.

***********************************************************************
*  Call RSS Exit                                                      *
***********************************************************************
          ECIDYNX  NAME=TSSINSTX,TOKEN=RSMWFCEC

Use the following sample JCL to assemble and link the sample TSSINSTX exit.

Note

To load the TSSINSTX exit, copy the compiled module in the same linklist library of CA TSS.

The following TSS command loads the TSSINSTX:

TSS MODIFY EXIT ON 

The library suffix is usually hlq.CAKOLINK, and when the command is correctly executed, TSS issues the following syslog message:

TSS9225I MODULE TSSINSTX mm/dd/yy LOADED FROM LIBRARY hlq.CAKOLINK

//ASM   EXEC PGM=ASMA90,                                      
// PARM=('SYSPARM(),LINECOUNT(0),SUPRWARN(042)',                 
// 'NOXREF,NODXREF,NORXREF,NOMXREF,NORLD,USING(NOMAP),RENT')     
//SYSLIB   DD DISP=SHR,DSN=<hlq>.RSSSAMP            
//         DD DISP=SHR,DSN=SYS1.MACLIB                           
//         DD DISP=SHR,DSN=SYS1.MODGEN                           
//SYSUT1   DD UNIT=SYSDA,SPACE=(CYL,(3,2))                       
//SYSLIN   DD DISP=(,PASS),SPACE=(CYL,(5,0,0)),                  
//            DCB=BLKSIZE=400,DSN=&&EXIT                         
//SYSPRINT DD SYSOUT=*                                           
//SYSIN    DD DISP=SHR,DSN=<hlq>.RSSSAMP(RSSINSTX)  
//*                                                              
//BGKLINK1 EXEC PGM=IEWL,                                        
// PARM='LIST,XREF,LET,AMODE=31,RMODE=ANY,AC(1),CASE=MIXED,      
//             RENT,REUS'                                        
//RSSLOAD  DD DISP=SHR,DSN=<hlq>.RSSLOAD            
//SYSLMOD  DD DISP=SHR,DSN=<hlq>.RSSLOAD            
//SYSUT1   DD UNIT=SYSDA,SPACE=(CYL,(3,2))                       
//SYSLIN   DD DISP=(OLD,DELETE),DSN=&&EXIT                       
//         DD *                                                  
  INCLUDE RSSLOAD(ECIMSTXT)                                      
  ENTRY TSSINSTX                                                 
  NAME TSSINSTX(R)                                               
//SYSPRINT DD SYSOUT=*                                           
//                                              

Creating ESM user IDs for SSPR

BMC AMI Security Self Service Password Reset requires an ESM user ID to reset a user's password.

For RACF, create a user ID in one of the following ways:

  • Set the SSPR STC user ID to have RACF authority to RESET passwords
  • Define a dedicated user ID with RACF authority to RESET passwords and specify the RACFAdminUser in the BMC AMI Resident Security Server global configuration parameters. For more information, see Global-configuration-parameters.

Where to go from here

For BMC AMI Enterprise Connector for Venafi, see additional ESM content for BMC AMI Enterprise Connector for Venafi, and then see Defining-a-checkpoint-data-set.

For all other products, after you create ESM resources, see Creating-a-database-directory.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*