Administering

This section provides information about using resource profiles, RACF groups, TSS profiles and ACF2 masks

• • Resource profiles and groups
  • Resource Profiles for PAM
  • PAM SMF data

Resource profiles and groups

BMC AMI Security Privileged Access Manager (PAM) uses resource profiles to manage access and permissions for projects, groups, and user IDs. PAM automatically converts profile and group names to uppercase to prevent RACF conflicts.

The resource profiles are defined in the BGLASS member of the BMC AMI Resident Security Server configuration file. For more information, see the PAM topic Configuring-after-installation.

Resource profiles

PAM resource profiles define the access level and role of users logging on to PAM. The access level and role are determined based on the user’s access to a combination of global and project-level resource profiles.

You can assign a user the following roles:

Role	Description
Requester	Requesters can request user IDs from authorized PAM projects
Manager	Managers can approve user ID requests submitted on authorized PAM projects
Hybrid	Hybrid users can request user IDs from authorized PAM projects, and approve user ID requests submitted on authorized PAM projects. However, they cannot approve their own requests.
Viewer	Viewers can view authorized PAM projects and their associated user IDs, but cannot perform any action on the projects.
Admin	Admins can view all ​defined PAM projects and their associated user IDs, but cannot perform any action on the projects. You do not have to provide project-level access to admins.

The global role determines a user's access to all PAM projects whereas the project role determines the user's access to select PAM projects.

To assign a user a global role

Provide the user READ access to at least one of the following global resource profiles:

Global resource profile	Role
BMC.RSS.PAM	The user can log on to PAM without any global role or access level assigned.
BMC.RSS.PAM.USER	Requester
BMC.RSS.PAM.MANAGER	Manager
BMC.RSS.PAM.VIEW	Viewer
BMC.RSS.PAM.ADMIN	Admin

After you assign a user a global role (based on the user's access to a global resource profile), you can restrict the user's access to specific projects by assigning the user a project-level role (based on the user's access to a project-level resource profile).

To assign a user a project-level role

Use the ESMProfile parameter to specify the resource profile that applies to the project. Resource profiles are defined in the FACILITY class by default. But you can use an alternate class by using the RSS global configuration parameter, ClassName.

The ESMProfile parameter allocates the following resource profiles to PAM, and you must provide a user READ access to at least one of them:

Project resource profile	Role
RACFProfile	If you assigned the user a global role, the user can access the project with the assigned global role.
RACFProfile.USER	If you did not assign the user a global role, the user can access the project as a requester. If you assigned the user a global manager role, PAM downgrades the user to a requester for the project.
RACFProfile.MANAGER	If you did not assign the user a global role, the user can access the project as a manager. If you assigned the user a global user role, PAM upgrades the user to hybrid, providing manager capabilities.

RACFProfile is the RACF profile defined on the project.

RACF groups

Every PAM project running on a RACF system must have an associated RACF group. Use the RACFGroup parameter to indicate the name of the group you want associated with the project.

You cannot define a PAM RACF group as a universal group.

RACF groups have the following purposes:

1. User IDs defined for a particular project must be connected to the group defined for that project. No other user IDs should be connected to that group.
2. If the CommandUserID parameter is defined as Group, the owning user ID for the group requires RACF with the SPECIAL attribute.

Additionally, all self-elevation projects running on a RACF system must have associated connect group(s). These connect groups provide an elevated user ID the appropriate access to required system resources. A connect group can be defined as a universal group.

TSS profiles

Use the TSSProfile parameter to indicate the name of the profile that you want to associate with the project. If you omit TSSProfile, the default is the project name.

User IDs defined for a particular project must be connected to the profile defined for that project. No other user IDs should be connected to that profile. 

ACF2 mask

Use the ACF2Mask parameter to indicate the UID mask that is used to select user IDs for this project. This parameter is required for ACF2 projects. Because of the nature of ACF2, you might want to group your PAM users together in the same DEPARTMENT, DIVISION, or LOCATION. With PAM you can select either one or more of these options by using the UID mask.

For example, if your PAM users all belong to the 'PAM' department, and this represents characters five to seven of your UID string, you would code the ACF2Mask as <****PAM>.

To make sure that the LIST UID(uidmask) command returns correct results, an administrator can check the outcome of this command before implementing PAM.

User IDs

When creating PAM user IDs, consider the following points:

• User IDs should be assigned the appropriate privileges for the intended system maintenance.
• The user ID is displayed in the PAM status panels, so you can give it a meaningful name.
• The user ID must be connected to the RACF group, TSS profile, or adhere to the ACF2 UID mask associated with the project.

Resource Profiles for PAM

To request a PAM ID, users must have READ access (at least) to the RACF resource, RSM.RSS.BGLASS. The default location of this resource is the FACILITY class profile. We highly recommend that you specify a value of UACC(NONE) for RSM.RSS.BGLASS.

If you choose to add RSM.RSS.BGLASS to a different class profile (other than FACILITY), to take advantage of the slight performance benefit of using a unique profile, ensure that you specify the class in the ClassName parameter in the RSS configuration member. For more information, see the RSS topic Configuring after installation.

RSM.RSS.BGLASS defines the project from which a user can request a PAMID. It does not define the permissions of the PAM ID itself.

Parameter	Description
RSM.RSS.projectName	Name of the PAM project from which the user can make requests Make sure the user has the proper access according to their role: READ access for users who can request project IDs. ALTER access for managers and users who can approve requests for project IDs.

PAM SMF data

The default SMF type used to identify PAM records is 175. This default is used if no SMF type is defined in the Global configuration parameters for RSS. If you choose to define an SMF type for RSS, we recommend that you use any number between 128 and 255 that is available to be collected by SMF.

PAM uses a standard SMF record header with subtypes. (SPE2504) PAM uses subtype 20 for logging PAM activity and subtype 22 for logging ServiceNow authentication.

For more information, see Table 2 in the IBM Knowledge Center topic: Standard and Extended SMF record headers.

The PAM SMF fields are as follows:

Description	Type	Length
Request description	Char	16
Change or incident ID	Char	16
Change description	Char	64
Project	Char	8
Project description	Char	32
User ID	Char	8
User name	Char	32
Requester ID	Char	8
Requester name	Char	32
Approver	Char	8
Approver name	Char	32
Audit log ID	Char	24

(SPE2504)

The ServiceNow authentication SMF fields are as follows:

Description	Type	Length
Incident or change ID	Char	16
Incident or change description	Char	128
Incident or change state	Char	16
Authentication result	Char	152
PAM project	Char	8
Requester ID	Char	8
Audit log ID	Char	24
Change type	Char	64
Assignee name	Char	128
Open date	Char	20
Updated date	Char	20
Planned start date	Char	20
Planned end date	Char	20
Actual start date	Char	20
Actual end date	Char	20
Review date	Char	20
Due date	Char	20
Short description	Char	256