Administering

This section provides information about using resource profiles, RACF groups, TSS profiles and ACF2 masks.

Resource profiles and groups

BMC AMI Security Privileged Access Manager uses resource profiles to manage access and permissions for projects, groups, and user IDs. Security PAM automatically converts profile and group names to uppercase to prevent RACF conflicts.

The resource profiles are defined in the BGLASS member of the BMC AMI Resident Security Server configuration file. For more information, see the Security PAM topic Configuring-after-installation.

Important

The resource profiles and groups associated with Security PAM are only for controlling Security PAM processing. Do not associate them with any additional system privileges. Do not use them to perform any kind of system maintenance or access system information.

Resource profiles

Security PAM resource profiles define the access level required to request user IDs from a particular project. Use the ESMProfile parameter to indicate which resource profile applies to the project. If you omit ESMProfile, the project default is RSM.RSS.projectName .

  • Resource profiles are defined in the FACILITY class by default, although you can use an alternate class.
  • To request access to a project (user level), users must have read access to the resource profile.
  • To approve access to a project (manager level), users must have alter access to the resource profile.

RACF groups

Every Security PAM project running on a RACF system must have an associated RACF group. Use the RACFGroup parameter to indicate the name of the group you want associated with the project. If you omit RACFGroup, the default is the project name.

You cannot define a Security PAM RACF Group as a universal group.

RACF groups have the following purposes:

  1. User IDs defined for a particular project must be connected to the group defined for that project. No other user IDs should be connected to that group.
  2. If the CommandUserID parameter is defined as Group, the owning user ID for the group requires RACF with the SPECIAL attribute.

TSS profiles

Use the TSSProfile parameter to indicate the name of the profile that you want to associate with the project. If you omit TSSProfile, the default is the project name.

User IDs defined for a particular project must be connected to the profile defined for that project. No other user IDs should be connected to that profile. 

ACF2 mask

Use the ACF2Mask parameter to indicate the UID mask that is used to select user IDs for this project. This parameter is required for ACF2 projects. Because of the nature of ACF2, you might want to group your Security PAM users together in the same DEPARTMENT, DIVISION, or LOCATION. With Security PAM you can select either one or more of these options by using the UID mask.

For example, if your Security PAM users all belong to the 'PAM' department, and this represents characters five to seven of your UID string, you would code the ACF2Mask as <****PAM>.

To make sure that the LIST UID(uidmask) command returns correct results, an administrator can check the outcome of this command before implementing Security PAM.

User IDs

When creating Security PAM user IDs, consider the following points:

  • User IDs should be assigned the appropriate privileges for the intended system maintenance.
  • The user ID is displayed in the Security PAM status panels, so you can give it a meaningful name.
  • The user ID must be connected to the RACF group, TSS profile, or adhere to the ACF2 UID mask associated with the project.

Resource Profiles for Security PAM

To request a Security PAM ID, users must have READ access (at least) to the RACF resource, RSM.RSS.BGLASS. The default location of this resource is the FACILITY class profile. We highly recommend that you specify a value of UACC(NONE) for RSM.RSS.BGLASS.

If you choose to add RSM.RSS.BGLASS to a different class profile (other than FACILITY), to take advantage of the slight performance benefit of using a unique profile, ensure that you specify the class in the ClassName parameter in the RSS configuration member. For more information, see the RSS topic Configuring after installation.

RSM.RSS.BGLASS defines the project from which a user can request a Security PAMID. It does not define the permissions of the Security PAM ID itself.

Parameter

Description

RSM.RSS.projectName

Name of the Security PAM project from which the user can make requests

Make sure the user has the proper access according to their role:

  • READ access for users who can request project IDs.
  • READ and ALTER access for managers and users who can approve requests for project IDs.

Security PAM SMF data

The default SMF type used to identify Security PAM records is 175. This default is used if no SMF type is defined in the Global configuration parameters for RSS. If you choose to define an SMF type for RSS, we recommend that you use any number between 128 and 255 that is available to be collected by SMF.

Security PAM uses a standard SMF record header with subtypes. For more information, see Table 2 in the IBM Knowledge Center topic: Standard and Extended SMF record headers.

The Security PAM SMF fields are as follows:

Description

Type

Length

Request Description

Char

16

Change ID

Char

16

Change Description

Char

64

Project

Char

8

Project Description

Char

32

User ID

Char

8

User Name

Char

32

Requester ID

Char

8

Requester Name

Char

32

Approver

Char

8

Approver Name

Char

32

Audit Log ID

Char

24


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*