Using
This topic describes tasks that you can perform using the BMC AMI Security Privileged Access Manager product:
- Task 1—To log on to Security PAM
- Task 2—To request a user ID
- Task 3—To approve a pending user ID request
- Task 4—To accept an approved user ID
- Task 5—To set a password for user pool IDs
- Task 6—To release a user ID
- Task 7—To resolve a conflicting status (Multisystem configurations only)
- Task 8—To sort projects
- Task 9—To view a status report
Task 1—To log on to Security PAM
Your system might vary depending on the installed products.
- In a web browser, enter https://systemName:port , substituting the values as determined by your installation and the RSS configuration.
In the BMC AMI Security Logon window, enter your user ID and password and click Log On.
The Product Selection menu appears.- Click the Security PAM Launch button.
The Security PAM dashboard displays the projects that you have access to.
Security PAM dashboard
You can use the buttons at the top of the dashboard to perform the following actions:
Button | Action |
|---|---|
Menu | Return to the Product Selection menu |
Refresh status | Display the latest project statuses |
Status report | Display the status of elevation requests |
Sort projects | Sort projects and requests based on the selected option |
Log Off | Exit Security PAM and the BMC AMI Security product group |
Security PAM projects
Each project has its own status table that lists the user IDs assigned to that project.
The project status table provides the following information:
Column | Description | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
UserID | Unique identifier of the temporary user ID to which special privileges are assigned For user pool projects, all user IDs in the pool are displayed. For self-elevation projects, only user IDs currently upgraded with special privileges are displayed. | ||||||||||||||||||
User Description | Taken from the NAME field of the user profile | ||||||||||||||||||
State | Current state of the user ID
| ||||||||||||||||||
ChangeID | Manually entered string associated with a pending or active request | ||||||||||||||||||
Comment | Displays the text that you entered in the Comment box on the Confirm PAM Access Request modal window that appeared when you requested the project user ID | ||||||||||||||||||
Current Status | Description of the current state of the user ID generated by the system | ||||||||||||||||||
Expires | Date and time when the user ID will be released | ||||||||||||||||||
Action | Button that enables you to take the next action The button changes depending on the State of the user ID. |
Action buttons
The following function buttons can appear next to a row in the table, depending on the user level and state of the user ID:
Function | Description | User level |
|---|---|---|
Request | Request a temporary user ID or self-elevation. | User |
Approve | Approve a user request. | Manager |
Accept | Accept an approved user ID or self-elevation. | User |
View | View the date and time at which an approved and accepted user ID request with an access window will be availabile for use. | Both |
View Status | (Multisystem configurations only) View the status of requested systems when there is a conflict (see State, ConflictingStatus). You can take action on any active systems for which you have authorization. | Both |
Set Password | Set a temporary password to begin using the user ID. | User |
Release a temporary user ID or self-elevation. | Both |
Self-elevation projects and concurrent mode
When checking the status table of self-elevation projects, you might see the state Another non-concurrent project is already active.
This can occur when a self-elevation project is already active and one of the following conditions is true:
- The active project was configured with ConcurrentMode = False.
- The user tries to access a new self-elevation project that is configured with ConcurrentMode = False.
For more information about ConcurrentMode, see Configuring PAM projects.
Task 2—To request a user ID
This procedure is the same for both user ID pool and self-elevation projects.
- Locate the project that you want to access.
- Click Request to the right of the table row containing the required user ID. Self-elevation projects have a single row only.
The Confirm PAM Access Request dialog box appears. - (Multisystem configurations only) Select one or more systems to access with the user ID. You can select them individually or click Select All if you want access to all of the systems in the list.
(SPE2307) When you hover over a system, an active system is highlighted in green and an inactive system is highlighted in red. - (Optional) Decide on a timeframe for using the ID:
- For immediate access upon activation for the specified days, hours, or minutes, select Access Duration. The maximum duration that you can select is two years.
- To provide access to the ID for a specific period only or for some time in the future, select Access Window. You must specify both a start date and time, and an end date and time.
- Enter the Change ID, from 1 to 15 characters, that you want to associate with the request.
- (Optional) In the Comment box, enter a textual description of the change (up to 128 characters).
(SPE2307) The text that you enter in the Comment box is displayed in the RSS audit log and it is prefixed by the text Comment: - (Optional) To receive notification before access for the user ID is about to expire, select Send Expiry Notification.
The dialog box expands to present additional options. - Modify the Expiry Notification options as required:
- Expiry Timer specifies the time between the notification and the user ID expiration. The maximum is 90 days.
- Recipient defines the email address or TSO user ID for notification. Select the type from the list and enter the address or ID in the box.
- Click Add New Recipient to add additional email or TSO recipients.
- To remove a recipient, delete their email or TSO user ID. If the fields are empty, they are not processed.
- (Optional) To receive notification when the request is approved or rejected, select Send Approval Notification. This applies only to requests that require manager approval.
The dialog box expands to present a box in which you can add the email address to which the notification should be sent. - In the Email Recipient box, enter an email address:
- You can enter only a single email address.
- If you leave this box empty, the address defined for the EmailCustomField parameter of the EmailProfile configuration member for BMC AMI Resident Security Server is used. For more information about the EmailCustomField parameter, see Email Configuration parameters (EMAILDEF).
- If no address is defined for the EmailCustomField parameter and you leave this box empty, no email is sent.
Click Submit.
Does the request require approval?
What happens next
Yes
The dashboard updates the State to Pending, and the Current Status to Pending approval for the user making the request. It remains in this state until the request is approved.
No
If the user ID is from a user pool project, the Generate PAM Password dialog box is displayed. Proceed to Task 5—To set a password for user pool IDs.
If the user ID is from a self-elevation project, you can begin using your elevated rights.
(Multisystem configurations only) For both user pool and self-elevation projects, if the user ID state changes to ConflictingStatus:
- A View Status button appears to the right of the table row.
- When you click View Status, the Environmental Status dialog box appears displaying the statuses of the systems included in the request.
- Set Password buttons appear only next to systems that are available. Proceed to Task 5—To set a password for user pool IDs.
Task 3—To approve a pending user ID request
This procedure is slightly different in a multisystem configuration.
- Click Approve to the right of the table row containing the required user ID.
Depending on the project type, the Authorize PAM Access Request (user pool ID) or Authorize PAM Upgrade Request (self-elevation) dialog box appears. - Review the details of the request.
(Multisystem configurations only) You can see the list of systems for which the user has requested access, but you cannot modify the selections.
(SPE2307) When you hover over a system, an active system is highlighted in green and an inactive system is highlighted in red. (Optional) Modify the timeframe for using the ID. The option that appears depends on the format selected by the user who submitted the request.
- Access Duration provides immediate access upon activation for the specified days, hours, or minutes.
- Access Window provides access for a specific period only. You must specify both a start date and time, and an end date and time.
In the Password for box next to your user ID, enter your password.(Multisystem configurations only) You must enter a password for each system in the request. You can enter them individually or duplicate them by clicking Duplicate Password.
To automatically generate a random password, you must have already defined the AutoGeneratedPassword parameter.
You can copy your password (autogenerated or manually entered) to the clipboard by clicking Copy password. To enable the Copy password button, the browser connection must be secured by using Application Transparent Transport Layer Security (AT-TLS).
- To authorize the request, click Approve. The dashboard updates the State of the selected user ID to Approved and the Current Status to Pending acceptance.
- To reject the request, click Refuse.
- To exit the dialog box without making any changes, click Close.
Approving requests
Most access requests require approval.
- Only manager-level users can approve requests.
- Requests awaiting approval are in the Pending or ConflictingStatus state.
- Projects enabled with email notification inform the manager (approver) that a request is pending.
- Those with the appropriate access can see at any time which user IDs need approval by logging on to the dashboard.
You can use the Approver parameter, when creating a Security PAM project, to automatically notify the specified approver when a request is pending. For example, if you enter the email address of your support mailbox, the request can be approved by one of many available approvers. For more information about the Approver parameter, see Configuring PAM projects.
Approving requests in a multisystem configuration
The options that you are presented with change according to the available systems.
- If the request is in a conflicted status, a View Status button appears to the right of the table row instead of an Approve button.
- When you click View Status, the Environmental Status dialog box appears displaying the statuses of the systems included in the request.
- Approve buttons appear next to any systems that are available to be approved.
Task 4—To accept an approved user ID
After a manager approves a user ID request, users refreshing their dashboard see that the button to the right of the row has changed.
This procedure is slightly different in a multisystem configuration.
- Click Accept next to the table row containing the user ID.
- If the user ID is from a user pool, the Generate Security PAM Password dialog box appears. Proceed to Task 5—To set a password for user pool IDs.
- If the request uses an Access Window and the start time has not begun, a message appears telling you when the window starts. To exit the message, click Close. The Accept button changes to View until the start of the access window. When the access window starts, the button changes to Set Password. Proceed to Task 5—To set a password for user pool IDs.
- If the user ID is for self-elevation, the Confirm Security PAM Upgrade dialog box appears.
Enter your password.
(Multisystem configurations only) You must enter a password for each system in the request. You can enter them individually or duplicate them by clicking Duplicate Password.To automatically generate a random password, you must have already defined the AutoGeneratedPassword parameter.
You can copy your password (autogenerated or manually entered) to the clipboard by clicking Copy password. To enable the Copy password button, the browser connection must be secured by using Application Transparent Transport Layer Security (AT-TLS).
- Perform one of the following steps:
- To accept the user ID, click Submit. The dashboard updates the State of the selected user ID to InUse and the Current Status to In Use by for the user who requested the ID.
- To cancel the request and return the user ID unused, click Cancel Request.
- To exit the dialog box without making any changes, click Close.
Accepting an approved user ID
Notifications can be set for approved requests.
- If the project is enabled with email notification, the user receives an email that the request is approved.
- If the user specified an email address in the Send Approval Notification box when submitting the request, the email recipient is notified if the request was approved or rejected. For more information, see Task 2—To request a user ID, substep 8.
Accepting an approved user ID in a multisystem configuration
The options that you are presented with change according to the available systems.
- If the request is in a conflicted status, a View Status button appears instead of an Accept button.
- (SPE2307) The request that is in a conflicted status is highlighted in orange and its State is displayed as ConflictingStatus.
- When you click View Status, the Environmental Status dialog box appears displaying the statuses of the systems included in the request.
- (SPE2307) Accept buttons appear next to all systems. But for an unavailable system, the Accept button is dimmed and the system is highlighted in red.
Task 5—To set a password for user pool IDs
When you submitted your user ID request, you clicked one of the following buttons:
- Submit, if the user ID is from a project with automatic approval
- Accept, if the user ID is from a project that requires a manager's approval
- Set Password, if the user ID is from a project that requires a manager's approval and you defined an Access Window for the request, or (Multisystem configurations only) if the user ID is in a conflicted status. (SPE2307) You can set the password for an active system only.
The Generate PAM Password dialog box appears.
To begin using the elevated rights of your temporary user ID, you need to set a password for the ID.
(Multisystem configurations only) You must enter a password for each system in the request. You can enter them individually or duplicate them by clicking Duplicate Password.
If you have the AutoGeneratedPassword parameter enabled, perform the following steps:
- In the Password Entry for userID box, enter the password for your logon user ID and click Submit.
In the New Password for userID box, enter a new password for the project user ID and click Submit.
To automatically generate a random password, you must have already defined the AutoGeneratedPassword parameter.You can copy your password (autogenerated or manually entered) to the clipboard by clicking Copy password. To enable the Copy password button, the browser connection must be secured by using Application Transparent Transport Layer Security (AT-TLS).
To cancel the request and return the user ID unused, click Cancel Request.
To exit the dialog box without making any changes, click Close.
If you do not have the AutoGeneratedPassword parameter enabled, perform the following steps:
- In the Password for box, enter your password.
- In the New Password for box, enter the temporary password for the user ID.
You can copy your password (autogenerated or manually entered) to the clipboard by clicking Copy password. To enable the Copy password button, the browser connection must be secured by using Application Transparent Transport Layer Security (AT-TLS). - In the Confirm New Password for box, confirm the temporary password for the user ID.
- Perform one of the following actions:
- To begin using the ID, click Submit.
- To cancel the request and return the user ID unused, click Cancel Request.
- To exit the dialog box without making any changes, click Close.
The dashboard updates the State of the selected user ID to InUse and the Current Status to In Use by your ID, as the user who requested the ID. If the user ID is from a project that is enabled with email notification, the manager who approved the request receives an email that the ID was accepted. You can now begin using your elevated rights.
The password is valid only for the time defined in the user ID request after the user has set the password and activated the user ID. When the time period expires or if the request is released, the password is reset to an unknown value. If REVOKE was specified for the AccessRetention parameter in the Security PAM configuration member, the user ID is flagged as revoked when not in use. For more information, see Administering.
Task 6—To release a user ID
All user IDs have a defined duration. When the duration expires, the IDs are revoked automatically. If a task is completed early, you can release the user ID back into the pool or project.
- Click End session to the right of the table row containing the user ID that you want to return.
The Confirm Security PAM Access Release of dialog box appears. - Perform one of the following actions:
- To release the ID back into the pool or project, click Submit.
- To exit the dialog box without releasing the ID, click Close.
The button to the right of the row changes from End session to Request.
If the user ID is from a project that is enabled with email notification, the manager who approved the request receives an email that the ID was released.
(Multisystem configurations only) End session buttons might also appear in a View Status dialog box for user IDs with multiple systems.
Task 7—To resolve a conflicting status (Multisystem configurations only)
When you work across multiple systems, sometimes systems are unavailable or a request to access a system fails. Security PAM tracks the state of both local and remote systems. If a system reports an unexpected status, the Dashboard displays a ConflictingStatus state.
- Click View Status next to the user ID and open the Environmental Status dialog box in which you can view the statuses of each system included in the request.
- Use the Action buttons Approve (for managers), Accept or Set Password (for users) to continue with the request.
- Click Request to retry systems that have failed elevation.
- Contact the system administrator for any systems that continue to fail. Either the system is down or the user does not have authorization for that system.
Task 8—To sort projects
If you are maintaining numerous projects that have multiple user IDs, then it can be difficult to find the required project from the list of projects in the dashboard. You can sort the view of your projects by using the project sorting feature.
To use this feature, click Sort projects at the top of the dashboard and select an option from the list.
The status tables are rearranged and the projects that satisfy the selected condition move to the top of the list.
(SPE2207) The sort project feature sorts tables alphabetically.
Select one of the following options to move the indicated projects or requests to the top of the list:
Option | Projects or requests |
|---|---|
Available for Request | Projects with user IDs available for request |
Pending approval | Requests awaiting approval |
Pending window | Approved user ID requests that are waiting for their requested window to start |
Pending accept | Projects with user IDs approved by the manager and that are not accepted by the user |
Awaiting password | Requests that are accepted but are pending for a user to set the password |
In use | Projects with user IDs that are in use |
Conflicting | Requests made for user IDs that have a conflicting status across multiple systems |
All actionable requests | Projects with user IDs that a user can perform an action on This includes requests, approvals, releases, and so on. |
All active requests | Requests that are not in Ready state Displays all requests that are raised. |
Default | Displays the list of projects in its default view as defined in the Security PAM parameters. You can use this option to reset project sorting. |
The selected project sorting option applies for the whole session, so you don't need to keep using the sort feature to approve multiple requests.
(SPE2301) Additionally, you can use the project sorting feature to perform the following tasks:
Task | Action |
|---|---|
Sort a column in the status table in ascending or descending order. | On the status table, click the arrow in the column header. |
Search for a string in the table and filter the table according to the string that you searched. | Enter the string in the Search box above the status table. |
Select the number of entries to be displayed in the status table. | Click the Show entries box above the status table and select the required number of entries to be displayed. Select 10, 25, or 50. If the total number of entries for a project exceeds the number of entries displayed on a tab, click the tab number or Next or Previous to display the entries available on the next or previous tabs. |
Task 9—To view a status report
(SPE2207) You can view the status of the elevation requests by using the status report feature. To use this feature, click Status Report at the top of the dashboard and select one of the following options:
- Active Requests—Displays all requests that are not in the Available status
- All Requests—Displays all requests, including the requests in Available status
After you select an option, the product displays a modal window with a table containing the following information:
Column | Description |
|---|---|
Project | Name of the project |
User | Requested user ID |
User Description | Taken from the NAME field of the user profile |
Requestor | User ID that raised the request |
Approver | User ID that approved the request |
Change ID | Manually entered string associated with a pending or active request |
Comment | Displays the text that you entered in the Comment box on the Confirm PAM Access Request modal window that appeared when you requested the project user ID |
Current Status | Description of the current state of the user ID generated by the system |
Start Time | Date and time when the user ID is available for use |
Expiry Time | Date and time when the user ID is released |
You can search for any information in the table by using the search box above the table. You can use the buttons above the search box to perform the following actions:
Button | Action |
|---|---|
Copy | Copies the table to the user's clipboard |
XLSX | Downloads the status report in Excel format |
CSV | Downloads the status report in CSV format |
Downloads the status report in PDF format |
(SPE2210) Alternatively, you can generate a status report by running the STATUSREPORT command in an MVS console. For more information, see Commands.
An example of the output for this command follows: