Skip to Content

Assigning project-level roles to users

You can assign project-level roles to PAM users to control their level of access to specific PAM projects.

Related topics

Assigning global roles to users

To assign a user a project-level role

​​​​​Use the ESMProfile parameter to specify the resource profile that applies to the project. Resource profiles are defined in the FACILITY class by default. However, you can use an alternate class by using the BMC AMI Resident Security Server (RSS) global configuration parameter ClassName.

The ESMProfile parameter allocates the following resource profiles to PAM, and you must provide a user READ access to at least one of them:

Project resource profileRole
RACFProfileIf you assigned the user a global role, the user can access the project with the assigned global role.
RACFProfile.USER

If you did not assign the user a global role, the user can access the project as a requester.

If you assigned the user a global manager role, PAM downgrades the user to a requester for the project.

RACFProfile.MANAGER

If you did not assign the user a global role, the user can access the project as a manager.

If you assigned the user a global user role, PAM upgrades the user to hybrid, providing manager capabilities.

RACFProfile is the RACF profile defined on the project.

Information
Example

If you configure the project profile as ESMProfile BMC.PAM.PROJ1, PAM determines a user's role and access level on the project by using the following resource profiles:

  • BMC.PAM.PROJ1
  • BMC.PAM.PROJ1.USER
  • BMC.PAM.PROJ1.MANAGER

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Security Privileged Access Manager 2.3