Using
This topic describes tasks that you can perform using the BMC AMI Security Breakglass product:
Task 1—To log on to Security Breakglass
Your system might vary depending on the installed products.
- In a web browser, enter https://systemName:port , substituting the values as determined by your installation and the RSS configuration.
In the BMC AMI Security Logon window, enter your user ID and password and click Log On.
The Product Selection menu appears.- Click the Breakglass Launch button.
The Security Breakglass dashboard displays the projects that you have access to.
Security Breakglass dashboard
You can use the buttons at the top of the dashboard to perform the following actions:
Button | Action |
|---|---|
Menu | Return to the Product Selection menu |
Refresh Status | Display the latest project statuses |
Log Off | Exit Breakglass and the BMC AMI Security product group |
Security Breakglass projects
Each project has its own status table that lists the user IDs assigned to that project.
The project status table provides the following information:
Column | Description | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
UserID | Unique identifier of the temporary user ID to which special privileges are assigned For user pool projects, all user IDs in the pool are displayed. For self-elevation projects, only user IDs currently upgraded with special privileges are displayed. | ||||||||||||||||||
User Description | Taken from the NAME field of the RACF user profile | ||||||||||||||||||
State | Current state of the user ID
| ||||||||||||||||||
ChangeID | Manually entered string associated with a pending or active request | ||||||||||||||||||
Current Status | Description of the current state of the user ID generated by the system | ||||||||||||||||||
Expires | Date and time when the user ID will be released | ||||||||||||||||||
Action | Button that enables you to take the next action The button changes depending on the State of the user ID. |
Action buttons
The following function buttons can appear next to a row in the table, depending on the user level and state of the user ID:
Function | Description | User level |
|---|---|---|
Request | Request a temporary user ID or self-elevation. | User |
Approve | Approve a user request. | Manager |
Accept | Accept an approved user ID or self-elevation. | User |
View | (SPE2107) View the date and time at which an approved and accepted user ID request with an access window will be availabile for use. | Both |
View Status | (SPE2107) (Multi-system configurations only) View the status of requested systems when there is a conflict (see State, ConflictingStatus). You can take action on any active systems for which you have authorization. | Both |
Set Password | (SPE2107) Set a temporary password to begin using the user ID. | User |
Release | Release a temporary user ID or self-elevation. | Both |
Self-elevation projects and concurrent mode
When checking the status table of self-elevation projects, you might see the state, Another non-concurrent project is already active.
This can occur when a self-elevation project is already active and one of the following conditions is true:
- The active project was configured with ConcurrentMode = False.
- The user tries to access a new self-elevation project that is configured with ConcurrentMode = False.
For more information about ConcurrentMode, see Configuring Breakglass projects.
Task 2—To request a user ID
This procedure is the same for both user ID pool and self-elevation projects.
- Locate the project that you want to access.
- Click Request to the right of the table row containing the required user ID. Self-elevation projects have a single row only.
The Confirm Breakglass Access Request dialog box appears. (Multi-system configurations only) Select one or more systems to access with the user ID. You can select them individually or click Select All if you want access to all of the systems in the list.
- (Optional) Decide on a timeframe for using the ID:
- For immediate access upon activation for the specified days, hours, or minutes, select Access Duration.
To provide access to the ID for a specific period only or for some time in the future, select Access Window. You must specify both a start date and time, and an end date and time.
- Enter the Change ID, from 1 to 15 characters, that you want to associate with the request.
- (Optional) In the Comment box, enter a textual description of the change (up to 128 characters).
- (Optional) To receive notification before access for the user ID is about to expire, select Send Expiry Notification.
The dialog box expands to present additional options. - Modify the Expiry Notification options as required:
- Expiry Timer specifies the time between the notification and the user ID expiration. The maximum is 90 days.
- Recipient defines the email address or TSO user ID for notification. Select the type from the list and enter the address or ID in the box.
- Click Add New Recipient to add additional email or TSO recipients.
- Remove a recipient by deleting their email or TSO user ID. If the fields are empty, they are not processed.
(Optional) To receive notification when the request is approved or rejected, select Send Approval Notification. This applies only to requests that require manager approval.
The dialog box expands to present a box in which you can add the email address to which the notification should be sent.- In the Email Recipient box, enter an email address:
- You can enter only a single email address.
If you leave this box empty, the address defined for the EmailCustomField parameter of the EmailProfile configuration member for Resident Security Server is used. For more information about the EmailCustomField parameter, see Email configuration parameters (EMAILDEF) in RSS server configuration parameters.
- If no address is defined for the EmailCustomField parameter and you leave this box empty, no email is sent.
Click Submit.
Does the request require approval?
What happens next
Yes
The dashboard updates the State to Pending, and the Current Status to Pending approval for the RACF user making the request. It remains in this state until the request is approved.
No
If the user ID is from a user pool project, the Generate Breakglass Password dialog box is displayed. Proceed to Task 5—To set a password for user pool IDs.
If the user ID is from a self-elevation project, you can begin using your elevated rights.
(SPE2107) (Multi-system configurations only) For both user pool and self-elevation projects, if the user ID state changes to ConflictingStatus:
- A View Status button appears to the right of the table row.
- When you click View Status, the Environmental Status dialog box appears displaying the statuses of the systems included in the request.
- Set Password buttons appear only next to systems that are available. Proceed to Task 5—To set a password for user pool IDs.
Task 3—To approve a pending user ID request
This procedure is slightly different in a multi-system configuration.
- Click Approve to the right of the table row containing the required user ID.
Depending on the project type, the Authorize Breakglass Access Request (user pool ID) or Authorize Breakglass Upgrade Request (self-elevation) dialog box appears. Review the details of the request.
(Multi-system configurations only) You can see the list of systems for which the user has requested access, but you cannot modify the selections.
(Optional) Modify the timeframe for using the ID. The option that appears depends on the format selected by the user who submitted the request.
- Access Duration provides immediate access upon activation for the specified days, hours, or minutes.
Access Window provides access for a specific period only. You must specify both a start date and time, and an end date and time.
In the Password for box next to your user ID, enter your RACF password.
(Multi-system configurations only) You must enter a password for each system in the request. You can enter them individually or duplicate them by clicking Duplicate Password.
- To authorize the request, click Approve. The dashboard updates the State of the selected user ID to Approved and the Current Status to Pending acceptance.
- To reject the request, click Refuse.
- To exit the dialog box without making any changes, click Close.
Approving requests
Most access requests require approval.
- Only manager-level users can approve requests.
- Requests awaiting approval are in the Pending or ConflictingStatus state.
- Projects enabled with email notification inform the manager (approver) that a request is pending.
- Those with the appropriate access can see at any time which user IDs need approval by logging on to the dashboard.
You can use the Approver parameter, when creating a Security Breakglass project, to automatically notify the specified approver when a request is pending. For example, if you enter the email address of your support mailbox, the request can be approved by one of many available approvers. For more information about the Approver parameter, see Configuring Breakglass projects.
Approving requests in a multi-system configuration
The options that you are presented with change according to the available systems.
- If the request is in a conflicted status, a View Status button appears to the right of the table row instead of an Approve button.
- When you click View Status, the Environmental Status dialog box appears displaying the statuses of the systems included in the request.
- Approve buttons appear next to any systems that are available to be approved.
Task 4—To accept an approved user ID
After a manager approves a user ID request, users refreshing their dashboard see that the button to the right of the row has changed.
This procedure is slightly different in a multi-system configuration.
- Click Accept next to the table row containing the user ID.
- If the user ID is from a user pool, the Generate Breakglass Password dialog box appears. Proceed to Task 5—To set a password for user pool IDs.
If the request uses an Access Window and the start time has not begun, a message appears telling you when the window starts. To exit the message, click Close. The Accept button changes to View until the start of the access window. When the access window starts, the button changes to Set Password. Proceed to Task 5—To set a password for user pool IDs.
- If the user ID is for self-elevation, the Confirm Breakglass Upgrade dialog box appears.
Enter your RACF password.
(Multi-system configurations only) You must enter a password for each system in the request. You can enter them individually or duplicate them by clicking Duplicate Password.
- Perform one of the following steps:
- To accept the user ID, click Submit. The dashboard updates the State of the selected user ID to InUse and the Current Status to In Use by for the RACF user who requested the ID.
- To cancel the request and return the user ID unused, click Cancel Request.
- To exit the dialog box without making any changes, click Close.
Accepting an approved user ID
Notifications can be set for approved requests.
- If the project is enabled with email notification, the user receives an email that the request is approved.
- If the user specified an email address in the Send Approval Notification box when submitting the request, the email recipient is notified if the request was approved or rejected. For more information, see Task 2—To request a user ID, substep 8.
Accepting an approved user ID in a multi-system configuration
The options that you are presented with change according to the available systems.
- If the request is in a conflicted status, a View Status button appears instead of an Accept button.
- When you click View Status, the Environmental Status dialog box appears displaying the statuses of the systems included in the request.
- Accept buttons appear next to any systems that are available to be accepted.
Task 5—To set a password for user pool IDs
When you submitted your user ID request, you clicked one of the following buttons:
- Submit, if the user ID is from a project with automatic approval
- Accept, if the user ID is from a project that requires a manager's approval
Set Password, if the user ID is from a project that requires a manager's approval and you defined an Access Window for the request, or (Multi-system configurations only) if the user ID is in a conflicted status
The Generate Breakglass Password dialog box appears.
To begin using the elevated rights of your temporary user ID, you need to set a password for the ID.
(SPE2107) (Multi-system configurations only) You must enter a password for each system in the request. You can enter them individually or duplicate them by clicking Duplicate Password.
- In the Password for box, enter your RACF password.
- In the New Password for box, enter the temporary password for the user ID.
- In the Confirm New Password for box, confirm the temporary password for the user ID.
- Perform one of the following actions:
- To begin using the ID, click Submit.
- To cancel the request and return the user ID unused, click Cancel Request.
- To exit the dialog box without making any changes, click Close.
The dashboard updates the State of the selected user ID to InUse and the Current Status to In Use by your RACF ID, as the user who requested the ID. If the user ID is from a project that is enabled with email notification, the manager who approved the request receives an email that the ID was accepted. You can now begin using your elevated rights.
The password is valid only for the time defined in the user ID request after the user has set the password and activated the user ID. When the time period expires or if the request is released, the password is reset to an unknown value. If REVOKE was specified for the AccessRetention parameter in the Security Breakglass configuration member, the user ID is flagged as revoked in RACF when not in use. For more information, see Administering.
Task 6—Releasing a user ID
All user IDs have a defined duration. When the duration expires, the IDs are revoked automatically. If a task is completed early, you can release the user ID back into the pool or project.
- Click Release to the right of the table row containing the user ID that you want to return.
The Confirm Breakglass Access Release of dialog box appears. - Perform one of the following actions:
- To release the ID back into the pool or project, click Submit.
- To exit the dialog box without releasing the ID, click Close.
The button to the right of the row changes from Release to Request.
If the user ID is from a project that is enabled with email notification, the manager who approved the request receives an email that the ID was released.
(SPE2107) (Multi-system configurations only) Release buttons might also appear in a View Status dialog box for user IDs with multiple systems.
Task 7—Resolving a conflicting status (Multi-system configurations only)
When you work across multiple systems, sometimes systems are unavailable or a request to access a system fails. Security Breakglass tracks the state of both local and remote systems. If a system reports an unexpected status, the Dashboard displays a ConflictingStatus state.
- Click View Status next to the user ID and open the Environmental Status dialog box in which you can view the statuses of each system included in the request.
- Use the Action buttons Approve (for managers), Accept or Set Password (for users) to continue with the request.
- Click Request to retry systems that have failed elevation.
- Contact the system administrator for any systems that continue to fail. Either the system is down or the user does not have authorization for that system.