Getting started

BMC AMI Security Breakglass is one of a suite of products that runs under the control of RSS.

There are times when authorized users require elevated privileges, normally controlled by RACF, to perform specific application or system changes. For certain critical or sensitive systems, having one or more users with permanent access privileges is a potential security risk.

Security Breakglass enables users who do not have system privileges on a permanent basis to request elevated privileges when required. All Security Breakglass activity is fully audited and can be associated with change control requests.

BMC AMI Security Breakglass provides multiple methods for accessing and grouping the temporary system privileges that you can request.

Access modes

You can access Security Breakglass by using the following modes: 

  • User ID pools
  • Self-elevation

You can use both modes in a single instance of Security Breakglass.

User ID pools

Users get access to a temporary user ID from a predefined pool. You create user IDs in the RACF database, each of which is assigned the necessary permissions to perform a specific system maintenance role.

IDs in the pool are kept in a revoked stat, with an unknown password. When an authorized user wants to perform a controlled function, they receive access to the appropriate user ID from the pool and can set a temporary password. When the authorized user releases the ID or after a preconfigured time, the user ID permissions are revoked and the password is reset to an unknown value.

Self-elevation

Users can have their own user ID privileges temporarily elevated. You grant them membership in privileged groups, each having the necessary permissions to perform a specific system maintenance role.

After a preconfigured time, the privileges are revoked and the user ID is disconnected from the privileged groups.

Projects

Access modes for both user ID pools and self-elevation are arranged in projects.

For example, you can define a project for a system programming activity, such as z/OS maintenance or CICS maintenance. You can associate multiple user IDs with the project and each ID can have different privileges.

You can then define another project with application-level maintenance activities and create a different set of user IDs and privileges for that project.

Users authorized to request access must also be authorized for the project. This allows for a high granularity in controlling the level of access users can request, and for what purpose.

User levels

Security Breakglass supports two levels of users:

  • User— permitted to receive and request permission to elevate their privileges to perform specific system actions.
  • Manager—permitted to authorize requests submitted by users.

User level is decided based on the privileges assigned to the user ID used to sign in to Security Breakglass. These privileges are controlled by RACF profiles.

Request modes

Security Breakglass operates in two request modes:

  • Automatic—users are automatically given access to the privileged user IDs without any further authorization.
  • Approval—users must wait until their request is approved by a manager or supervisor.

Request mode is defined in the configuration parameters for each project. You can define a request mode according to the time, day, or week. For example, requests during office hours can be in Approval mode and requests outside of office hours can be in Automatic mode.

Where to go from here

If you are a system programmer and want to install and configure Security Breakglass, see the following topic branches:

If you want to start using Security Breakglass to request and grant elevated privileges, see Using.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*