Administering
This section provides information about using resource profiles, RACF groups, TSS profiles, and ACF2 masks.
Resource profiles and groups
BMC AMI Security Privileged Access Manager (PAM) uses resource profiles to manage access and permissions for projects, groups, and user IDs. PAM automatically converts profile and group names to uppercase to prevent RACF conflicts.
The resource profiles are defined in the BGLASS member of the BMC AMI Resident Security Server configuration file. For more information, see Configuring after installation.
Resource profiles
PAM resource profiles define the user's access level and role when logging on to PAM. These are determined by the user’s access to a combination of global and project-level resource profiles.
You can assign a user the following roles:
| Role | Description |
|---|---|
| Requester | Requesters can request user IDs from authorized PAM projects. |
| Manager | Managers can approve user ID requests submitted on authorized PAM projects. |
| Hybrid | Hybrid users can request user IDs from authorized PAM projects and approve user ID requests submitted on authorized PAM projects. However, they can't approve their own requests. |
| Viewer | Viewers can view authorized PAM projects and their associated user IDs, but they can't perform any action on the projects. |
| Admin | Admins can view all defined PAM projects and their associated user IDs, but they can't perform any action on the projects. You don't have to provide project-level access to admins. |
The global role determines a user's access to all PAM projects, whereas the project role determines a user's access to select PAM projects.
For more information on assigning user roles, see the following topics:
RACF groups
Every PAM project running on a RACF system must have an associated RACF group. Use the RACFGroup parameter to indicate the name of the group you want to associate with the project.
You can't define a PAM RACF group as a universal group.
RACF groups have the following purposes:
- User IDs defined for a particular project must be connected to the group defined for that project. No other user IDs should be connected to that group.
If the CommandUserID parameter is defined as Group, the owning user ID for the group requires RACF with the SPECIAL attribute.
Additionally, all self-elevation projects running on an RACF system must have associated connect group(s). These connect groups provide an elevated user ID the appropriate access to required system resources. A connect group can be defined as a universal group.
TSS profiles
Use the TSSProfile parameter to indicate the name of the profile that you want to associate with the project. If you omit TSSProfile, the default is the project name.
User IDs defined for a particular project must be connected to the profile defined for that project. No other user IDs should be connected to that profile.
ACF2 mask
Use the ACF2Mask parameter to indicate the UID mask that is used to select user IDs for this project. This parameter is required for ACF2 projects. Because of the nature of ACF2, you might want to group your PAM users together in the same department, division, or location. With PAM, you can select one or more of these options by using the UID mask.
For example, if your PAM users all belong to the PAM department, and this represents characters five to seven of your UID string, you would code the ACF2Mask as <****PAM>.
To make sure that the LIST UID(uidmask) command returns correct results, an administrator can check the outcome of this command before implementing PAM.
User IDs
When creating PAM user IDs, consider the following points:
- User IDs should be assigned the appropriate privileges for the intended system maintenance.
- The user ID is displayed in the PAM status panels, so you can give it a meaningful name.
- The user ID must be connected to the RACF group, TSS profile, or adhere to the ACF2 UID mask associated with the project.
Resource profiles for PAM
To request a PAM ID, users must have at minimum READ access to the RACF resource RSM.RSS.BGLASS. The default location of this resource is the FACILITY class profile. We highly recommend that you specify a value of UACC(NONE) for RSM.RSS.BGLASS.
If you choose to add RSM.RSS.BGLASS to a different class profile (other than FACILITY), to take advantage of the slight performance benefit of using a unique profile, ensure that you specify the class in the ClassName parameter in the BMC AMI Resident Security Server (RSS) configuration member. For more information, see Configuring after installation.
RSM.RSS.BGLASS defines the project from which a user can request a PAMID. It does not define the permissions of the PAM ID itself.
Parameter | Description |
|---|---|
RSM.RSS.projectName | Name of the PAM project from which the user can make requests Make sure the user has the proper access according to their role:
|
PAM SMF data
The default System Management Facility (SMF) type used to identify PAM records is 175. This default is used if no SMF type is defined in the Global configuration parameters for RSS. If you choose to define an SMF type for RSS, we recommend that you use any number between 128 and 255 that is available to be collected by SMF.
PAM uses a standard SMF record header with subtypes. (SPE2504) PAM uses subtype 20 for logging PAM activity and subtype 22 for logging ServiceNow authentication.
For more information, see Table 2 in the IBM Knowledge Center topic: Standard and Extended SMF record headers.
The PAM SMF fields are as follows:
| Description | Type | Length |
|---|---|---|
| Request description | Char | 16 |
| Change or incident ID | Char | 16 |
| Change description | Char | 64 |
| Project | Char | 8 |
| Project description | Char | 32 |
| User ID | Char | 8 |
| User name | Char | 32 |
| Requester ID | Char | 8 |
| Requester name | Char | 32 |
| Approver | Char | 8 |
| Approver name | Char | 32 |
| Audit log ID | Char | 24 |
The ServiceNow authentication SMF fields are as follows:
| Description | Type | Length |
|---|---|---|
| Incident or change ID | Char | 16 |
| Incident or change description | Char | 128 |
| Incident or change state | Char | 16 |
| Authentication result | Char | 152 |
| PAM project | Char | 8 |
| Requester ID | Char | 8 |
| Audit log ID | Char | 24 |
| Change type | Char | 64 |
| Assignee name | Char | 128 |
| Open date | Char | 20 |
| Updated date | Char | 20 |
| Planned start date | Char | 20 |
| Planned end date | Char | 20 |
| Actual start date | Char | 20 |
| Actual end date | Char | 20 |
| Review date | Char | 20 |
| Due date | Char | 20 |
| Short description | Char | 256 |