Commands

In addition to the RSS Commands, you can run BMC AMI Security Privileged Access Manager (PAM) commands with the MVS Modify command in an MVS console to extract information from the product or adjust certain processing options.

Related topics

Administering

Troubleshooting

To run a PAM command, run the following syntax:

/F startedTaskName,command keyword1 keyword2

PAM supports the following commands:

RECONFIG

You can use the RECONFIG command to perform the following tasks without restarting PAM:

  • Dynamically update the values of specific parameters
  • Add and delete projects from your active configuration

The syntax for this command is as follows:

/F startedTaskName,RECONFIG memberName

Variable

Description

startedTaskName

STC (started task) that runs PAM

memberName

New configuration member that contains all the original parameters with their updated values and new project blocks

Include this new configuration member in the RSSPARM data set.

The RECONFIG command dynamically updates your existing configuration. It replaces your original configuration with the configuration specified in your new configuration member. Hence, your new configuration member must include all projects and parameters that you require after running RECONFIG. Do not exclude any required projects and parameters from your new configuration member.

Important

If an existing project has a user ID in one of the following Current Status, you cannot use RECONFIG to delete or update that project; PAM ignores all changes that you specify for that project:

  • Pending approval for userID
  • Pending acceptance
  • Awaiting password
  • In Use by userID

Also, you cannot use RECONFIG to update parameters in the following parameter blocks:

  • HTTPServer
  • EmailProfile
  • RESTApi
  • AutoStart

To update a parameter, add a new project, or delete an existing project

  1. Create a new configuration member in your RSSPARM data set.
  2. Copy all parameters from your original configuration member to your new configuration member.
  3. Perform one of the following tasks:
    • To update a parameter value, change the required parameter's value in the new configuration member.
    • To add a new project, add a new project block to the new configuration member.
    • To delete a project, delete the specific project block from the new configuration member.
  4. Run the RECONFIG command with the new configuration member.
Example

UPDTPARM1 is a new configuration member with updated parameters and ECYZBGL is the PAM started task. To update the parameters, run the following command:
/F ECYZBGL,RECONFIG UPDTPARM1

STATUSREPORT

You can use the new STATUSREPORT command to generate a status report of elevation requests, entitled STREPORT, in a dynamic DD statement that is created in the STC.

The syntax for this command is as follows:

/F startedTaskName,STATUSREPORT [active]

Variable/Keyword

Description

startedTaskName

STC (started task) that runs the product

active

(Optional) Generates a status report with all requests that are not in Available status

If you do not specify the keyword active, then the status report displays all requests, including the requests in Available status.

Alternatively, you can generate a status report from the product user interface by clicking Status Report.

PAMRESET

You can use the PAMRESET command to reset a user ID without cold starting the STC. This command is particularly useful in production environments.

The following table contains the command syntax to perform various actions:

Action

Command syntax

Reset a specific user ID on a specific project

/F startedTaskName,PAMRESET project userID

Reset a specific user ID on all projects

/F startedTaskName,PAMRESET * userID

Reset all user IDs on a specific project

/F startedTaskName,PAMRESET project *

Reset all user IDs on a specific project, delete the project, and re-create the project (like in a cold start)

/F startedTaskName,PAMRESET project * cold

To delete a specific user ID on a specific project and re-create the user ID (like in a cold start)

/F startedTaskName,PAMRESET project userID cold

The variables and keywords used with the PAMRESET command follow:

Variable or Keyword

Description

startedTaskName

STC (started task) that runs the product

project

Name of the project that has the user ID that you need to reset

To reset user IDs on all projects, specify *.

userID

User ID that you need to reset

To reset all user IDs on a project, specify *.

cold

Deletes and re-creates a user ID or project (like in a cold start)

PAMPROJREFRESH

You can use the PAMPROJREFRESH command to refresh a project. When you run this command, PAM compares the user IDs in a project with the user IDs in the RACF group associated with that project. If PAM finds that a user ID available in the RACF group is not available in the project, PAM adds the missing user ID to the project.

(SPE2407) If a user ID available in the project is no longer available in the RACF group, PAM removes this user ID from the project.

The syntax for this command is as follows:

/F startedTaskName,PAMPROJREFRESH

To see the updated list of user IDs in a project, on the product dashboard, click Refresh status.

(Before SPE2407) To remove a user ID from a project that was previously removed from a RACF group, restart the product.

When you run this command in different scenarios, PAM displays the following messages in the STC log:

Message

Scenario

PAMPROJREFRESH command issued

When you run the PAMPROJREFRESH command

PAMPROJREFRESH command completed

When the PAMPROJREFRESH command completes its run

User userName added for project projectName

When PAM adds a user ID that was unavailable in the project from a RACF group to its associated project

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*