Configuring after installation

Use the parameters in this topic to specify Security Breakglass settings in the RSS configuration. These parameters are not required for other RSS components.

BreakglassProject table

The Security Breakglass configuration statements are grouped into projects, in which a project is a specific group of Security Breakglass user IDs used to access a specific system resource.

For example, you might define one project for access to CICS, a second project for Db2, and a third project for z/OS.

The Security Breakglass configuration member (BGLASS) uses the following parameters:

Parameter

Description

BreakglassProject projectName

Indicates the start of a project definition

Enter a name of up to eight characters for projectName.

AccessRetention number type REVOKE

Time period to retain access to project resources

Enter the amount of time users can retain their user pool ID or self-elevation privileges.

  • number, is the numerical value of time, for example 15 (minutes).
  • type, is the unit of measure, which can be either Minutes, Hours, or Days.

The maximum value you can enter is 90 days. Once the time is up, privileges are revoked and any passwords the user created are removed.

If you use REVOKE, the user IDs for the project are flagged as revoked in RACF, when not in use, in addition to their passwords being reset. This is helpful for projects with very powerful user IDs and privileges.

The value you enter here is loaded by default into the Duration box for users requesting a user ID.

If you omit type, the default Minutes is used.

Approver type value

(SPE2010)

(Optional) TSO user ID or email address of the person who will approve access requests for the project

This parameter is useful for sending notifications to support mailboxes or to a mailing list of approvers. Notification is not sent for automatic approvals.

  • type indicates how the approver is notified:
    • EMAIL specifies the email address of the approver.
    • TSO specifies the TSO user ID of the approver.
  • value contains the corresponding email or TSO user ID.

Important

If you specify EMAIL, Security Breakglass uses the value from the EmailProfile block of the RSS server configuration parameters. For the notification process to operate correctly, you must have previously configured these parameters. For more information, see Email Configuration parameters.

AutoPeriod hh:mm hh:mm WEEKDAYS|WEEKENDS

(Optional) Enables automatic access-request approval for the specified time period

Users must receive manager approval when requesting user ID pool or self-elevation access. Managers may not always be available when access requests come in. To address such issues you can specify periods of time that approvals are given automatically. For example, on weekends or holidays when a project manager might be traveling or on vacation.

  • Enter start and end times in hours and minutes using hh:mm hh:mm.
  • Use either WEEKDAYS or WEEKENDS (you can only use one) to specify when the time period occurs.

  • Define one or more AutoPeriod parameters as needed for the project.

    Important

    AutoPeriod uses a 24–hour clock. If a time period spans midnight, the start time must be greater than the end time. For example:
    AutoPeriod 23:30 08:30 WEEKDAYS

If you omit AutoPeriod, the default is that manager approval is required for all access requests.

ChangeIDPrefix prefix1 prefix2 prefix3 ...

Force specific Change ID prefixes for the project

You can configure multiple, custom Change ID prefixes to use for tracking requests from the project. Users are shown the required prefixes when requesting a user ID. The prefixes are not case sensitive.

CommandUserID Job|Group

User ID for issuing RACF commands

Ensure that the user ID for the specified value has sufficient privileges to issue RACF LIST and ALTER commands.

  • Job, issues commands under the user ID for the started task running Security Breakglass.
  • Group, issues commands under the Group Owning user ID for the RACF group associated with the project.

If you omit CommandUserID, the default Job is used.

ConcurrentMode True|False

(For self-elevation projects only) The project allows concurrent use in valid instances

Users can self-elevate in multiple projects concurrently when:

  • The user initially chooses and is currently elevated in a project where ConcurrentMode = True.
  • The next project the user chooses is also ConcurrentMode = True

If the user initially chooses or is currently elevated in a project where ConcurrentMode = False, they cannot concurrently elevate to another project.

If you omit ConcurrentMode, the default False is used.

ConnectGroup group1 group2 group3 ...

(For self-elevation projects only) Names of the user-access RACF groups associated with the project

RACF groups provide projects with access to required system resources. Projects created for self-elevation can connect to multiple RACF groups, providing a wide range of access for the user. You can define multiple groups for a single ConnectGroup parameter or you can use multiple ConnectGroup parameters instead.

In addition, users are connected automatically to the RACF group defined specifically for the project via the RACFGroup keyword. For more information, see RACF groups.

Description text

Description of the project

The description can be up to 31 bytes and is visible to users requesting and approving access to the project.

ExpiryNotify type value

(SPE2010)


(Optional) TSO user ID or email address for project expiry warnings

Use this parameter to notify people when access for any of the project's user IDs is about to expire. First choose the method of notification and then fill in the details:

  • type, indicates the how the approver is notified.
    • EMAIL, specifies the email address of the approver.
    • TSO, specifies the TSO user ID of the approver.
  • value, contains the corresponding contact information
    • For EMAIL, enter the email address of the person you want notified.
    • For TSO, enter the TSO user ID of the person you want to notify or one of the following:
      • USER, sends the notification to the Security Breakglass user ID requested from the project.
      • REQUESTER, sends the notification to the person who requested the Security Breakglass user ID from the project.

You can add multiple ExpiryNotify parameters to add multiple email recipients.

Important

  • If you configure ExpiryNotify:

    • The values entered here appear as default settings on the Confirm Breakglass Access Request page.
    • Modifications made on the Confirm Breakglass Access Request page override the values configured here.

    For more information see, requesting a user ID.

  • If you specify EMAIL, Security Breakglass uses the value from the EmailProfile block of the RSS server configuration parameters. For the notification process to operate correctly, you must have previously configured these parameters. For more information, see Email Configuration parameters.

ExpiryTimer number type

(SPE2010)

Time period before access requests expire that notifications are sent

(Optional) For use with ExpiryNotify, specify the amount of lead time you want for notifications before project IDs expire. The maximum value is 90 days.

  • number, is the numerical value of time, for example 15 (minutes).
  • type, is the unit of measure, which can be either Minutes, Hours, or Days.

If you omit ExpiryTimer, the default value of 5 minutes is used.

LocalAuthenticate racfProfileName

(SPE2110)


(Optional) RACF profile containing the list of the users permitted to use local authentication

For use in a multi-system configuration, an access level of READ or higher is sufficient to grant this privilege. Users on the list need to enter their password a only once and authenticate on the master system to receive access to all systems in the request.

If you omit LocalAuthenticate, users must enter passwords for each system in the request.

MaximumRetention number type

Maximum time to retain access to project resources

Enter the maximum amount of time users can retain their user pool ID or self-elevation privileges.

  • number, is the numerical value of time, for example 15 (minutes).
  • type, is the unit of measure, which can be either Minutes, Hours, or Days.

The maximum value you can enter is 90 days. If the user enters a value in the Duration box when requesting a user ID that is greater than the MaximumRetention value, MaximumRetention takes precedent.

If you omit type, the default Minutes is used.

Mode UserPool|SelfElevation

Access mode for project

  • UserPool, provides temporary user IDs from a predefined pool.
  • SelfElevation, provides users the ability to temporarily extend the privileges of their own user ID.

If you omit Mode, the default UserPool is used.

Notify emailAddress

(Optional) Email address for project activity notifications

Enter the email address of the person you want to notify of activity in the project. Project activity can include:

  • Account requested and requires authorization
  • Request released
  • Request cancelled
  • Request active
  • Request expired
  • Request not authorized

Typically, you would enter the project manager's email address so they get notified of authorization requests from users. You can add multiple Notify parameters to add multiple email recipients.

Important

For the notification process to operate correctly, you must have previously configured the EmailProfile block of the RSS server configuration parameters. For more information, see Email Configuration parameters.

RACFGroup groupName

(Optional) RACF group associated with the project

Every project has an associated RACF group. For more information, see RACF groups.

If you omit RACFGroup, the default used is the value specified in the BreakglassProject parameter.

RACFProfile profileName

(Optional) RACF profile containing the access level requirements for the project

Anyone working with this project must have the permissions defined in the specified RACF profile.

  • Users requesting IDs and self-elevation must have READ access.
  • Managers who will be approving the requests must have ALTER access.

If you omit RACFProfile, the default used is RSM.RSS.projectname, where projectname is the value specified in the BreakglassProject parameter.

SystemList systemName1 systemName2 systemName3 ...

(SPE2107)


(Optional) Names of servers defined for the project

This parameter applies if you use Security Breakglass in a multi-system configuration. Specify one or more servers that user pool or self-elevation IDs associated with the project can access. When a RACF user requests an ID from the project, their authorization to access these serveres is verified.

You must make sure that all servers defined for this parameter are also defined in the BreakglassServer configuration block.

The total list of systems for this parameter always includes the local system on which the master instance is installed. You do not need to define it here.

If you omit SystemList, Security Breakglass runs as a single-system instance.

EndBreakglassProject

Indicates the end of a project definition

BreakglassServer table

(SPE2107)

Located on the master Security Breakglass instance, the server configuration member uses the following parameters:

Parameter

Description

BreakglassServers

Indicates the start of the server definitions

name ipAddress portNumber

name ipAddress portNumber

Defines the agent system that Security Breakglass user IDs can access

Enter the name, IP address, and port number of the servers that you want to associate with Security Breakglass. The name can be up to 15 characters and does not have to match the actual name of the server. You can repeat this parameter as many times as needed to include all desired systems.

EndBreakglassServers

Indicates the end of the server definitions

Important

You do not need to define the local system on which the master instance is installed in the BreakglassServer member. It is included automatrically for all users with authorization on the local system.

BreakglassAgent table

(SPE2107)

Located on the agent instance, the agent configuration member uses the following parameters:

Parameter

Description

BreakglassAgent

Indicates the start of the agent definition

name ipAddress

Defines the name and IP address of the local agent system

Enter the name and IP address of the system that Security Breakglass user IDs will access. The name can be up to 15 characters and must match the name of a system defined in the master (BreakglassServers block).

port portNumber

Defines the port number for the local agent system

The number must match the port number defined in the master (BreakglassServers block) for the specified IP address.

EndBreakglassServers

Indicates the end of the agent definition

Related topic

Reviewing-the-product-configuration

Sample-configurations

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*