Configuring after installation

(SPE2301)

AccessRetention number type REVOKE INACTIVE

(Before SPE2301)

AccessRetention number type REVOKE

Time period to retain access to project resources

Enter the amount of time users can retain their user pool ID or self-elevation privileges.

• number, is the numerical value of time, for example 15 (minutes).
• type, is the unit of measure, which can be either Minutes, Hours, or Days.

The maximum value you can enter is 90 days. Once the time is up, privileges are revoked and any passwords the user created are removed.

If you use REVOKE, the user IDs for the project are flagged as revoked, when not in use, in addition to their passwords being reset. This is helpful for projects with very powerful user IDs and privileges.

The value you enter here is loaded by default into the Duration box for users requesting a user ID.

If you omit type, the default Minutes is used.

(SPE2301) If you use INACTIVE, Security PAM issues an ALU RESUME command to clear the inactive status of the requested user ID. Specifying INACTIVE is similar to setting the AllowInactive parameter to Enable.

Indicates the uidMask used to select users for a Security PAM project

This parameter is required for ACF2 projects. For more information, see ACF2 mask.

AllowInactive Enable|Disable

(SPE2204)

When the product runs on a RACF system, it issues an ALU RESUME command to clear the inactive status of the requested user ID.

The default is Disable.

(SPE2301) Setting the AllowInactive parameter to Enable is similar to specifying the INACTIVE keyword with the AccessRetention parameter.

AllowRepeatedRequests All|Unique|None

(SPE2207)

Make multiple requests against your own linked user ID. Select one of the following options:

• All—approves all requests and does not validate the request for duplicate environments
• Unique—approves all requests that does not match a previous set of systems. Your request for the same user ID is approved, but if you request the same set of systems, the request is rejected.
• None—rejects repeated requests.

The default is None.

Approver type value

(Optional) TSO user ID or email address of the person who will approve access requests for the project

This parameter is useful for sending notifications to support mailboxes or to a mailing list of approvers. Notification is not sent for automatic approvals.

• type indicates how the approver is notified:
  
  • EMAIL specifies the email address of the approver.
  • TSO specifies the TSO user ID of the approver.
• value contains the corresponding email or TSO user ID.

AutoGeneratedPassword On|Off|Overwrite Email

(SPE2210)

Determines whether to automatically generate a random password during the password reset process

(Optional) Enables automatic access-request approval for the specified time period

Users must receive manager approval when requesting user ID pool or self-elevation access. Managers may not always be available when access requests come in. To address such issues you can specify periods of time that approvals are given automatically. For example, on weekends or holidays when a project manager might be traveling or on vacation.

• Enter start and end times in hours and minutes using hh:mm hh:mm.
• Use either WEEKDAYS or WEEKENDS (you can only use one) to specify when the time period occurs.

• Define one or more AutoPeriod parameters as needed for the project.

  Important

  AutoPeriod uses a 24–hour clock. If a time period spans midnight, the start time must be greater than the end time. For example:
  AutoPeriod 23:30 08:30 WEEKDAYS

If you omit AutoPeriod, the default is that manager approval is required for all access requests.

BMCHelixAuth dataSet

(SPE2210)

Name of the data set containing the authentication token that is used to authenticate the change ID validation request sent from Security PAM to the BMC Helix ITSM instance

For more information, see Validating Security PAM change IDs by using BMC Helix ITSM.

BMCHelixUser userID

(SPE2210)

Base64-encoded BMC Helix ITSM user ID that is used to authenticate the change ID validation request sent from Security PAM to the BMC Helix ITSM instance

Make sure that the user ID that you specify with this parameter has the required permissions to read change IDs in BMC Helix ITSM. For more information, see Validating Security PAM change IDs by using BMC Helix ITSM.

BMCHelixPass password

(SPE2210)

Base64-encoded password for the BMC Helix ITSM userID

BMCHelixURL url

(SPE2210)

Endpoint URL for sending the REST API requests from Security PAM

If your endpoint URL is https://exampleurl.com , then specify it as exampleurl.com.

For more information, see Validating Security PAM change IDs by using BMC Helix ITSM.

User ID for issuing commands

Ensure that the user ID for the specified value has sufficient privileges to issue the necessary commands.

• Job, issues commands under the user ID for the started task running Security PAM.
• Group, issues commands under the owning user ID for the group or profile associated with the project. On non-RACF installations, we recommend to use Job .

If you omit CommandUserID, the default Job is used.

CommentField Enable|Disable

(SPE2304)

Determines whether users must mandatorily enter a comment in the Comment box on the Confirm PAM Access Request modal window

If you omit CommentField, the default Disable is used.

ConnectACF2 priv1 priv2 priv3 ...

ConnectGroup group1 group2 group3 ...

ConnectProfile profile1 profile2 profile3 ...

(For self-elevation projects only) Names of the user-access ESM resources associated with the project

ESM user-access resources provide projects with access to required system resources. These are primarily in the form of RACF groups, TSS profiles, and ACF2 departments. Projects created for self-elevation can connect to multiple resources, providing a wide range of access for the user. You can define multiple resources for a single Connect parameter or you can use multiple Connect parameters instead.

In addition, when operating Security PAM on a RACF or TSS system, users are connected automatically to the RACF group or TSS profile defined specifically for the project via the RACFGroup or TSSProfile keyword. For more information, see RACF groups and TSS profiles.

ACF2 supports additional processing with this keyword because of the flexibility of ACF2 installations and the various differences in the organization structure. The ConnectACF2 parameter supports any string of the format parameter(value) and two special keywords: ACCOUNT and SECURITY. The parameter options are those defined for your organization's UID string. To find the parameter, issue a LIST userid ACF2 command. The output for the command is as follows: DIV(XXX) ENDVRDEF( ) JTTL() LOC() SECT() STAFFID( )
In this example, the available options are DIV, ENDVRDEF, JTTL, LOC, SECT, and STAFFID. ACF2 administrators can then use any of these options to filter access to the required resources.

(SPE2301) You can specify up to 24 ACF2 departments, RACF groups, and TSS profiles with ConnectACF2, ConnectGroup, and ConnectProfile. If you exceed this limit, Security PAM ignores the rest and issues the following error message: Connect group limit exceeded

CSDATAField fieldName

(SPE2207)

Name of the CSDATA field in RACF that has the project user ID that you want to link to a logon user ID

When you define this parameter in a project, a manager must request and gain approval to use a project user ID that is linked to their logon user ID, but the same manager can approve project user ID requests raised by other users in projects to which the manager has access.

This parameter is valid for user ID pools mode projects only. Make sure that the CSDATA field is protected by RACF to prevent unauthorized changes. For more information, see the "Linking a project user ID to a manager-level logon user ID" section in Self-managed user ID pools mode projects.

A sample code to create the CSDATA field follows:

ExpiryNotify type value

(Optional) TSO user ID or email address for project expiry warnings

Use this parameter to notify people when access for any of the project's user IDs is about to expire. First choose the method of notification and then fill in the details:

• type, indicates the how the approver is notified.
  
  • EMAIL, specifies the email address of the approver.
  • TSO, specifies the TSO user ID of the approver.
• value, contains the corresponding contact information
  • For EMAIL, enter the email address of the person you want notified.
  • For TSO, enter the TSO user ID of the person you want to notify or one of the following:
    • USER, sends the notification to the Security PAM user ID requested from the project.
    • REQUESTER, sends the notification to the person who requested the Security PAM user ID from the project.

You can add multiple ExpiryNotify parameters to add multiple email recipients.

(SPE2307) 

If the email address is longer than 64 characters, you can enter it in two lines. To enter an email address in two lines, in the first line, specify the parameter with a + sign at its end and enter the first part of the email address. In the second line, specify the parameter again without a + sign and enter the second part of the email address. You can enter 64 characters in each line. So, you can enter an email address of up to 128 characters.

ExpiryTimer number type

LocalAuthenticate resourceProfileName

(Optional) resource profile containing the list of the users permitted to use local authentication

For use in a multi-system configuration, an access level of READ or higher is sufficient to grant this privilege. Users on the list need to enter their password only once and authenticate on the master system to receive access to all systems in the request.

If you omit LocalAuthenticate, users must enter passwords for each system in the request.

(SPE2210)

Notify activity emailAddress|CSDATA

(Before SPE2210)

Notify emailAddress

(SPE2210)

(Optional) Sends a notification to the specified email address when the specified project activity occurs

Typically, you would enter the project manager's email address to trigger notification to that address from users. To add multiple email recipients, define multiple Notify parameters with the required email addresses.

(Before SPE2210)

Sends a notification to the specified email address for any of the following project activities:

• Elevation requested
• User ID released
• Elevation request canceled
• User ID active
• User ID expired
• Elevation request not authorized

(SPE2307) 

If the email address is longer than 64 characters, you can enter it in two lines. To enter an email address in two lines, in the first line, specify the parameter with a + sign at its end and enter the first part of the email address. In the second line, specify the parameter again without a + sign and enter the second part of the email address. You can enter 64 characters in each line. So, you can enter an email address of up to 128 characters.

NotifyURL protocol domain

(SPE2301)

(Optional) Adds a URL to the notification email that users receive when performing a project activity. The URL redirects users to the BMC AMI Security Logon window. This parameter takes the following values:

• protocol is the network protocol that is prefixed in the URL. Specify one of the following values:
  • HTTP—The browser creates an insecure connection to the product.
  • HTTPS—(Default) The browser creates a secure connection to the product.
• domain is the domain name in the URL. Specify one of the following values:
  • IP—Security PAM provides the IP address from the IPAddress parameter (defined in the RSS HTTPServer block). If the IPAddress parameter is not defined, Security PAM uses the local TCP/IP stack IP address.
  • Host—(Default) Security PAM resolves the IP address to a host name
  • (SPE2304) hostName—User-specified host name

RestrictRelease Yes|No

(SPE2210)

Denies a user the privilege of releasing other user IDs that are in the same project

The default is No.

SystemList systemName1 systemName2 systemName3 ...

(Optional) Names of servers defined for the project

This parameter applies if you use Security PAM in a multi-system configuration. Specify one or more servers that user pool or self-elevation IDs associated with the project can access. When a user requests an ID from the project, their authorization to access these servers is verified.

You must make sure that all servers defined for this parameter are also defined in the PAMServers configuration block.

The total list of systems for this parameter always includes the local system on which the master instance is installed. You do not need to define it here.

If you omit SystemList, Security PAM runs as a single-system instance.

UniversalMode Yes|No

(SPE2301)

Determines whether Security PAM should allow a manager to act as a user when requesting a project user ID

When you enable this parameter in a project, to use a project user ID, a manager must request and gain approval. The same manager can approve project user ID requests raised by other users in projects to which the manager has access.

User IDs for managers must have ALTER access.

User IDs for users only must have READ access.

You can use this parameter only with projects that have Mode UserPool defined in their configuration member. You cannot use this parameter with projects that have Mode SelfElevation defined in their configuration member. It is mutually exclusive with the CSDATAField parameter—if you define both these parameters, Security PAM considers the CSDATAField configuration only and ignores UniversalMode. For more information, see the "Using the UniversalMode parameter" section in Self-managed user ID pools mode projects.