Assigning project-level roles to users
Related topics
You can assign project-level roles to PAM users to control their level of access to specific PAM projects.
To assign a user a project-level role
Use the ESMProfile parameter to specify the resource profile that applies to the project. Resource profiles are defined in the FACILITY class by default. However, you can use an alternate class by using the BMC AMI Resident Security Server (RSS) global configuration parameter ClassName.
The ESMProfile parameter allocates the following resource profiles to PAM, and you must provide a user READ access to at least one of them:
| Project resource profile | Role |
|---|---|
| RACFProfile | If you assigned the user a global role, the user can access the project with the assigned global role. |
| RACFProfile.USER | If you did not assign the user a global role, the user can access the project as a requester. If you assigned the user a global manager role, PAM downgrades the user to a requester for the project. |
| RACFProfile.MANAGER | If you did not assign the user a global role, the user can access the project as a manager. If you assigned the user a global user role, PAM upgrades the user to hybrid, providing manager capabilities. |
RACFProfile is the RACF profile defined on the project.
After you assign project-level requester and manager roles to PAM users, you can further control their access by using the Restrict parameter:
- To restrict a project-level requester from requesting specific user IDs in a user pool PAM project, use Restrict Request.
To restrict a project-level manager from releasing specific user IDs in a user pool PAM project, use Restrict Release.
To use the Restrict parameter to control a requester’s or manager’s ability to request or release a user ID in a PAM user pool project, you must provide those users READ access to the user-level resource profile, RACFProfile.userID, in that project.