Getting started

BMC AMI Security Privileged Access Manager is one of a suite of products that runs under the control of RSS.

There are times when authorized users require elevated privileges, which are controlled by external security managers (ESM), like IBM Resource Access Control Facility (RACF), CA Access Control Facility 2 (ACF2), and CA Top Secret Security (TSS), to perform specific application or system changes. For certain critical or sensitive systems, having one or more users with permanent access privileges is a potential security risk.

Security PAM enables users who do not have system privileges on a permanent basis to request elevated privileges when required. All Security PAM activity is fully audited and can be associated with change control requests.

BMC AMI Security Privileged Access Manager provides multiple methods for accessing and grouping the temporary system privileges that you can request.

Access modes

You can access Security PAM by using the following modes: 

  • User ID pools
  • Self-elevation

You can use both modes in a single instance of Security PAM.

User ID pools

Users get access to a temporary user ID from a predefined pool. You create user IDs in the ESM database, each of which is assigned the necessary permissions to perform a specific system maintenance role.

IDs in the pool are kept in a revoked state, with an unknown password. When an authorized user wants to perform a controlled function, they receive access to the appropriate user ID from the pool and can set a temporary password. When the authorized user releases the ID or after a preconfigured time, the user ID permissions are revoked and the password is reset to an unknown value.

Self-elevation

Users can have their own user ID privileges temporarily elevated. You grant them membership to privileged resources (for example RACF groups), each having the necessary permissions to perform a specific system maintenance role.

After a preconfigured time, the privileges are revoked and the user ID is disconnected from the privileged resources.

Projects

Access modes for both user ID pools and self-elevation are arranged in projects.

For example, you can define a project for a system programming activity, such as z/OS maintenance or CICS maintenance. You can associate multiple user IDs with the project and each ID can have different privileges.

You can then define another project with application-level maintenance activities and create a different set of user IDs and privileges for that project.

Users authorized to request access must also be authorized for the project. This allows for a high granularity in controlling the level of access users can request, and for what purpose.

User levels

Security PAM supports two levels of users:

  • User—permitted to receive and request permission to elevate their privileges to perform specific system actions.
  • Manager—permitted to authorize requests submitted by users.

User level is decided based on the privileges assigned to the user ID used to sign in to Security PAM. These privileges are controlled by ESM security protections.

User IDs

Security PAM supports two types of user IDs:

  • Logon user ID—used to log on to Security PAM (two levels of users—users and managers)
  • Project user ID—user ID with elevated privileges to perform specific system changes

You log on to Security PAM with your logon user ID. To perform specific system changes, you must request and gain approval for a project user ID that is available in a Security PAM project to which you have access.

Request modes

Security PAM operates in two request modes:

  • Automatic—users are automatically given access to the privileged user IDs without any further authorization.
  • Approval—users must wait until their request is approved by a manager or supervisor.

Request mode is defined in the configuration parameters for each project. You can define a request mode according to the time, day, or week. For example, requests during office hours can be in Approval mode and requests outside of office hours can be in Automatic mode.

Self-managed user ID pools mode projects

(SPE2207)

By default, only a manager can approve user ID requests in a project that is in user ID pools mode, but you can enable users who have access to the same project to approve such requests by using one of the following methods:

Linking a project user ID to a manager-level logon user ID

By linking your project user ID to your manager-level logon user ID, you can request your project user ID as usual. Security PAM considers your logon user ID as a user for your project user ID request, so you cannot approve your own request, but your logon user ID acts as a manager for other project user IDs in the projects to which you have access (but not other projects). This feature helps a project team manage its own elevation requests. For more information, see CSDATAField.

To link a project user ID to a logon user ID, follow these steps:

  1. In the CSDATA segment of the user profile of your logon user ID, create a CSDATA field and specify the project user ID that you want to link in the newly created CSDATA field.
  2. Specify the CSDATA field as the value for the CSDATAField parameter.
Example

Susan, a user in a team of programmers, wants to use a project user ID that is linked to her manager-level logon user ID. To use her linked project user ID, she must request and gain approval from a manager who has access to the project. She can use her logon user ID to approve the elevation requests of other users in the project to which she has access, but not her own request.

Using the UniversalMode parameter

(SPE2301)

When you enable the UniversalMode parameter in a project to which you have access, Security PAM considers your manager-level logon user ID as a user for your project user ID request. Hence, you cannot approve your own request; another manager in your RACF group must approve your request. You can use your manager-level logon user ID to approve project user ID requests raised by other users in the projects to which you have access. For more information, see UniversalMode.

Example

Emily, a user in a team of programmers, wants to use a project user ID. She must request and gain approval from a manager who has access to the project. Using her manager-level logon user ID, she can the approve elevation requests of other users in the projects to which she has access, but not her own request.

Important

You can use this parameter only with projects that have Mode UserPool defined in their configuration member. You cannot use this parameter with projects that have Mode SelfElevation defined in their configuration member.

Validating Security PAM change IDs by using BMC Helix ITSM

(SPE2210)

You can integrate BMC Helix ITSM with Security PAM to validate change IDs in a specific Security PAM project by using BMC Helix ITSM. When a user enters a change ID and submits an elevation request, Security PAM compares this change ID with the change IDs available in BMC Helix ITSM. Only change IDs that are available in BMC Helix ITSM can be used with Security PAM. If the change ID entered is unavailable in BMC Helix ITSM, Security PAM displays an error message.

To validate a change ID by using BMC Helix ITSM , use either a user ID and password, or an authentication token.

Important

Before you begin, make sure that you have a valid user ID and password to access BMC Helix ITSM, which you can use to read change IDs and authentication tokens (to validate REST API requests sent by Security PAM to BMC Helix ITSM .

To validate a change ID using a user ID and password

  1. Create a user ID and password for BMC Helix ITSM and encode them using base64 encoding.
  2. Specify the newly created, base64 encoded user ID and password with the BMCHelixUser and BMCHelixPass parameters.
  3. Define the BMCHelixURL parameter.

To validate a change ID using an authentication token

  1. Log on to BMC Helix ITSM.
  2. Generate an authentication token that can authenticate REST API requests from Security PAM. For information about generating an authentication token, contact BMC Support.
  3. Add the authentication token to a data set in Security PAM and specify that data set with the BMCHelixAuth parameter.
  4. Define the BMCHelixURL parameter.

For more information about BMCHelixAuth, BMCHelixUser, BMCHelixPass, and BMCHelixURL parameters, see Configuring-after-installation.

Where to go from here

If you are a system programmer and want to install and configure Security PAM, see the following topic branches:

To start using Security PAM to request and grant elevated privileges, see Using.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*