Configuring ESM definitions

External security manager (ESM) definitions control which users can use the BMC AMI Security Policy Manager services. At a minimum, the ESM definitions require access to the following items:

  • Connect to the HTTP interface
  • Use the Tools menu


Related topics

Installation-overview

Creating-ESM-resources

Configuring-parameters

The following definitions control access to the 

Security Policy Manager

 server and the initial menu selection available. You must define the profiles and rules (depending on the ESM) in the default FACILITY class or the class defined in the 

Security Policy Manager

 configuration parameters.

ESM profiles

Parameter

Description

RSM.RSS.LOGIN

READ access

Access is required for all users who are authorized to login to the HTTP interface.

RSM.RSS.TOOLS

READ access

Access is required for all users who are authorized to use the Tools features. Users can use the Tools features to issue commands and drive Security Policy Manager REXX from the browser.

RSM.RSS.SPM

(before SPE2107) RSM.RSS.ZDETECT

READ access

When more than one product from the RSS family of products is installed, this access enables the application to appear in the product selection screen after logging in.

RSM.RSS.BATCH

READ access

Access is required for all users who need to run the ZDTBATCH batch utility. For RACF and TSS, you must specify the access.

BMC.RSS.SPMCOMP

READ access or UPDATE access

READ enables users to view the compliance queries from the browser.

UPDATE enables users to change the compliance queries from the browser.

BMC.RSS.SPMIMPRT

Import a custom table

BMC.RSS.SPM

READ access

Access is required for all users who need to run the ZDTBATCH batch utility. For RACF and TSS, you must specify the access.

To control access to BMC AMI Resident Security Server and Security Policy Manager

Use the following examples as a guide to control access to the relevant ESM:

Examples of RACF profiles

The following example displays the syntax for RACF profiles for BMC AMI Resident Security Server:

RDEFINE FACILITY RSM.RSS.LOGIN owner(<owner>)
RDEFINE FACILITY RSM.RSS.TOOLS owner(<owner>)
RDEFINE FACILITY RSM.RSS.SPM   owner(<owner>)
RDEFINE FACILITY RSM.RSS.BATCH owner(<owner>)

PERMIT RSM.RSS.LOGIN CLASS(FACILITY)  ID(<userID>) ACCESS(READ)
PERMIT RSM.RSS.TOOLS CLASS(FACILITY)  ID(<userID>) ACCESS(READ)
PERMIT RSM.RSS.SPM   CLASS(FACILITY)  ID(<userID>) ACCESS(READ)
PERMIT RSM.RSS.BATCH CLASS(FACILITY)  ID(<userID>) ACCESS(READ)

SETROPTS REFRESH RACLIST(FACILITY)

The following example displays the syntax for RACF profiles for Security Policy Manager:

RDEFINE FACILITY BMC.RSS.SPMCOMP  owner(<owner>)
RDEFINE FACILITY BMC.RSS.SPMIMPRT owner(<owner>)
RDEFINE FACILITY BMC.RSS.SPM      owner(<owner>)

PERMIT BMC.RSS.SPMCOMP  CLASS(FACILITY) ID(<userID>) ACCESS(UPDATE)
PERMIT BMC.RSS.SPMCOMP  CLASS(FACILITY) ID(<userID>) ACCESS(READ)
PERMIT BMC.RSS.SPMIMPRT CLASS(FACILITY) ID(<userID>) ACCESS(READ)
PERMIT BMC.RSS.SPM      CLASS(FACILITY) ID(<userID>) ACCESS(READ)

SETROPTS REFRESH RACLIST(FACILITY)

Replace the following placeholders:

  • <owner>—RACF owner for the resource
  • <userID>—RACF user identifier that is granted access to Security Policy Manager

Example of TSS definitions

The following example displays the syntax for TSS definitions for BMC AMI Resident Security Server:

TSS ADDTO(MASTER) IBMFAC(RSM.RSS.)  
TSS PERMIT(<userID>) IBMFAC(RSM.RSS.LOGIN) ACCESS(READ)
TSS PERMIT(<userID>) IBMFAC(RSM.RSS.TOOLS) ACCESS(READ)
TSS PERMIT(<userID>) IBMFAC(RSM.RSS.SPM)   ACCESS(READ)
TSS PERMIT(<userID>) IBMFAC(RSM.RSS.BATCH) ACCESS(READ)

The following example displays the syntax for TSS definitions for Security Policy Manager:

TSS ADDTO(MASTER) IBMFAC(BMC.RSS.)  
TSS PERMIT(<userID>) IBMFAC(BMC.RSS.SPMCOMP)  ACCESS(UPDATE)
TSS PERMIT(<userID>) IBMFAC(BMC.RSS.SPMCOMP)  ACCESS(READ)
TSS PERMIT(<userID>) IBMFAC(BMC.RSS.SPMIMPRT) ACCESS(READ)
TSS PERMIT(<userID>) IBMFAC(BMC.RSS.SPM)      ACCESS(READ)

Replace the <userID> placeholders with the TSS user identifier that is granted access to Security Policy Manager.

Example of ACF2 rules

(SPE2107)

The following rule sample displays the syntax for ACF2 rules for BMC AMI Resident Security Server:

$KEY(RSM) TYPE(FAC)
$USERDATA(BMC AMI Security Policy Manager)
RSS.LOGIN    UID(<userID>) SERVICE(READ) ALLOW
RSS.TOOLS    UID(<userID>) SERVICE(READ) ALLOW
RSS.SPM      UID(<userID>) SERVICE(READ) ALLOW
RSS.BATCH    UID(<userID>) SERVICE(READ) ALLOW
- UID(NOACCESS) PREVENT
- UID(*) PREVENT

The following rule sample displays the syntax for ACF2 rules for Security Policy Manager:

$KEY(BMC) TYPE(FAC)
$USERDATA(BMC AMI Security Policy Manager)
RSS.SPMCOMP  UID(<userID>) SERVICE(UPDATE) ALLOW
RSS.SPMCOMP  UID(<userID>) SERVICE(READ) ALLOW
RSS.SPMIMPRT UID(<userID>) SERVICE(READ) ALLOW
RSS.SPM      UID(<userID>) SERVICE(READ) ALLOW
LOG
- UID(NOACCESS) PREVENT
- UID(*) PREVENT

Replace the <userID> placeholders with the ACF2 user identifier portion of the UID that is granted access to Security Policy Manager.

Where to go from here

After configuring ESM definitions, define the started task to the ESM.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*