Configuring after installation

Use the parameters in this topic to specify BMC AMI Security Privileged Access Manager (PAM) settings in the BMC AMI Resident Security Server (RSS) configuration. These parameters are not required for other RSS components.

You must also create a dedicated started task control (STC) user under which the BMC AMI Security Privileged Access Manager started task will run.

PAMProject table

The PAM configuration statements are grouped into projects, in which a project is a specific group of PAM user IDs used to access a specific system resource.

For example, you might define one project for access to CICS, a second project for Db2, and a third project for z/OS.

The PAM configuration member (BGLASS) uses the following parameters:

Parameter

Description

PAMProject projectName

Indicates the start of a project definition

Enter a name of up to eight characters for projectName.

AccessRetention number type REVOKE INACTIVE

Time period to retain access to project resources

Enter the amount of time users can retain their user pool ID or self-elevation privileges.

number is the number of minutes, hours, or days. The maximum value is 90.
type is the unit of measure: Minutes (the default), Hours, or Days.

Once the time is up, privileges are revoked and any passwords the user created are removed.

If you use REVOKE, the user IDs for the project are flagged as revoked, when not in use, in addition to their passwords being reset. This is helpful for projects with very powerful user IDs and privileges.

The value you enter here is loaded by default into the Duration box for users requesting a user ID.

If you omit type, the default Minutes is used.

If you use INACTIVE, PAM issues an ALU RESUME command to clear the inactive status of the requested user ID. Specifying INACTIVE is similar to setting the AllowInactive parameter to Enable.

(SPE2410)If you omit this parameter, its value is loaded from the DefaultRetention parameter and REVOKE is used by default.

ACF2Mask uidMask

Indicates the uidMask used to select users for a PAM project

This parameter is required for ACF2 projects. For more information, see ACF2 mask.

AllowInactive Enable|Disable

When the product runs on a RACF system, it issues an ALU RESUME command to clear the inactive status of the requested user ID.

The default is Disable.

Setting the AllowInactive parameter to Enable is similar to specifying the INACTIVE keyword with the AccessRetention parameter.

AllowRepeatedRequests All|Unique|None

Make multiple requests against your own linked user ID. The AllowRepeatedRequests parameter is valid for user pool mode (Mode UserPool) projects only and is not valid for self-elevation mode (Mode SelfElevation) projects.

Select one of the following options:

All—approves all requests and does not validate the request for duplicate environments
Unique—approves all requests that does not match a previous set of systems. Your request for the same user ID is approved, but if you request the same set of systems, the request is rejected.
None—rejects repeated requests.

The default is None.

Important

Before you define this parameter, you must define the CSDATAFieldparameter.

Approver type value

(Optional) TSO user ID or email address of the person who will approve access requests for the project

This parameter is useful for sending notifications to support mailboxes or to a mailing list of approvers. Notification is not sent for automatic approvals.

type indicates how the approver is notified:
- EMAIL specifies the email address of the approver.
- TSO specifies the TSO user ID of the approver.
value contains the corresponding email or TSO user ID.

Important

If you specify EMAIL, PAM uses the value from the EmailProfile block of the RSS server configuration parameters. For the notification process to operate correctly, you must have previously configured these parameters. For more information, see Email Configuration parameters (EMAILDEF).

AutoGeneratedPassword On|Off|Overwrite Email

Determines whether to automatically generate a random password during the password reset process

Value	Description
On	Automatically generates a random password that is not editable
Overwrite	Automatically generates a random password that is editable
Off	(Default) Does not generate a random password. Users must enter the password manually.
Email	(Optional) Sends a notification to a previously specified email address with the new password Important For the notification process to operate correctly, you must have previously configured the EmailCustomField parameter in the EmailProfile block. For more information, see Email Configuration parameters (EMAILDEF).

AutoPeriod hh:mm hh:mm WEEKDAYS|WEEKENDS

(Optional) Enables automatic access-request approval for the specified time period

Users must receive manager approval when requesting user ID pool or self-elevation access. Managers may not always be available when access requests come in. To address such issues you can specify periods of time that approvals are given automatically. For example, on weekends or holidays when a project manager might be traveling or on vacation.

Enter start and end times in hours and minutes using hh:mm hh:mm.
Use either WEEKDAYS or WEEKENDS (you can only use one) to specify when the time period occurs.
Define one or more AutoPeriod parameters as needed for the project.
Important
AutoPeriod uses a 24–hour clock. If a time period spans midnight, the start time must be greater than the end time. For example:
AutoPeriod 23:30 08:30 WEEKDAYS

If you omit AutoPeriod, the default is that manager approval is required for all access requests.

BMCHelixAuth dataSet

Name of the data set containing the authentication token that is used to authenticate the change ID (or incident ID) validation request sent from PAM to the BMC Helix ITSM instance

For more information, see Validating Security PAM change IDs and incident IDs by using BMC Helix ITSM.

BMCHelixUser userID

Base64-encoded BMC Helix ITSM user ID that is used to authenticate the change ID (or incident ID) validation request sent from PAM to the BMC Helix ITSM instance

Make sure that the user ID that you specify with this parameter has the required permissions to read change IDs and incident IDs in BMC Helix ITSM. For more information, see Validating Security PAM change IDs and incident IDs by using BMC Helix ITSM.

BMCHelixPass password

Base64-encoded password for the BMC Helix ITSM userID

BMCHelixURL url

Endpoint URL for sending the REST API requests from PAM

If your endpoint URL is https://exampleurl.com, then specify it as exampleurl.com.

For more information, see Validating Security PAM change IDs and incident IDs by using BMC Helix ITSM.

ChangeIDPrefix prefix1 prefix2 prefix3 ...

Force specific change or incident ID prefixes for the project

You can configure multiple, custom change or incident ID prefixes to use for tracking requests from the project. Users are shown the required prefixes when requesting a user ID. The prefixes are not case sensitive.

(SPE2407)

The prefixes are displayed in the Change or Incident ID list in the UI.

If PAM change or incident ID validation against ServiceNow records is enabled, the Change or Incident ID list in the UI displays CHG and INC only. No other prefix is displayed.

CommandUserID Job|Group

User ID for issuing commands

Ensure that the user ID for the specified value has sufficient privileges to issue the necessary commands.

Job, issues commands under the user ID for the started task running PAM.
Group, issues commands under the owning user ID for the group or profile associated with the project. On non-RACF installations, we recommend to use Job .

If you omit CommandUserID, the default Job is used.

CommentField Enable|Disable

Determines whether users must mandatorily enter a comment in the Comment box on the Confirm PAM Access Request modal window

If you omit CommentField, the default Disable is used.

ConcurrentMode True|False

(For self-elevation projects only) The project allows concurrent use in valid instances

Users can self-elevate in multiple projects concurrently when:

The user initially chooses and is currently elevated in a project where ConcurrentMode = True.
The next project the user chooses is also ConcurrentMode = True

If the user initially chooses or is currently elevated in a project where ConcurrentMode = False, they cannot concurrently elevate to another project.

If you omit ConcurrentMode, the default False is used.

ConnectACF2 priv1 priv2 priv3 ...

ConnectGroup group1 group2 group3 ...

ConnectProfile profile1 profile2 profile3 ...

(For self-elevation projects only) Names of the user-access ESM resources associated with the project

ESM user-access resources provide projects with access to required system resources. These are primarily in the form of RACF groups, TSS profiles, and ACF2 departments. Projects created for self-elevation can connect to multiple resources, providing a wide range of access for the user. You can define multiple resources for a single Connect parameter or you can use multiple Connect parameters instead.

In addition, when operating PAM on a RACF or TSS system, users are connected automatically to the RACF group or TSS profile defined specifically for the project via the RACFGroup or TSSProfile keyword. For more information, see RACF groups and TSS profiles.

ACF2 supports additional processing with this keyword because of the flexibility of ACF2 installations and the various differences in the organization structure. The ConnectACF2 parameter supports any string of the format parameter(value) and two special keywords: ACCOUNT and SECURITY. The parameter options are those defined for your organization's UID string. To find the parameter, issue a LIST userid ACF2 command. The output for the command is as follows: DIV(XXX) ENDVRDEF( ) JTTL() LOC() SECT() STAFFID( )
In this example, the available options are DIV, ENDVRDEF, JTTL, LOC, SECT, and STAFFID. ACF2 administrators can then use any of these options to filter access to the required resources.

Important

Use the SECURITY or ACCOUNT keywords with caution. Make sure that adequate protections are in place for the PAM configuration data sets when using these options.

You can specify up to 24 ACF2 departments, RACF groups, and TSS profiles with ConnectACF2, ConnectGroup, and ConnectProfile. If you exceed this limit, PAM ignores the rest and issues the following error message: Connect group limit exceeded

Important

If you are using a multisystem configuration, you must have the same ESM resources for your master and agent systems. For example, if your master system runs on RACF, your agent systems must also run on RACF. So, if you use the ConnectGroup parameter in a project in your master system, you must use ConnectGroup only in your projects in your agent systems; you cannot use ConnectACF2 or ConnectProfile in your projects in your agent system.

CSDATAField fieldName

Name of the CSDATA field in RACF that has the project user ID that you want to link to a manager-level logon user ID

When you define this parameter in a project, a manager must request and gain approval to use a project user ID that is linked to their logon user ID. This same manager can approve project user ID requests raised by other users in projects to which the manager has access.

Make sure that the CSDATA field is protected by RACF to prevent unauthorized changes. For more information, see Self-managed projects.

A sample code to create the CSDATA field follows:

//JOBCARD   JOB (),CLASS=A,MSGCLASS=X,NOTIFY=&SYSUID
//***************************************************
//* BUILD PAM CUSTOM FIELDS *
//***************************************************
//DEFINE EXEC PGM=IKJEFT1A
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS CLASSACT(CFIELD)
RDEFINE CFIELD +
   USER.CSDATA.PAMLINK +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(8) LISTHEAD('PAM LINKED ID') +
   FIRST(ALPHANUM) OTHER(ALPHANUM) )
//*
//UPDATE EXEC PGM=IKJEFT01,PARM='IRRDPI00 UPDATE'
//SYSTSPRT DD SYSOUT=*
//SYSUT1 DD DISP=SHR,DSN=SYS1.SAMPLIB(IRRDPSDS)
//SYSTSIN DD DUMMY
//LIST EXEC PGM=IKJEFT01,PARM='IRRDPI00 LIST (USER CSDATA) '
//SYSTSPRT DD SYSOUT=*
//SYSUT1 DD DISP=SHR,DSN=SYS1.SAMPLIB(IRRDPSDS)
//SYSTSIN DD DUMMY
//*
//***************************************************
//* SET PAMLINK CSDATA FOR USERID
//***************************************************
//CSDATA EXEC PGM=IKJEFT1A
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
ALTUSER LogonUserID CSDATA(PAMLINK(ProjectUserID))
LISTUSER LogonUserID CSDATA
//*

DefaultRetention number type

(SPE2410)

A safeguard to ensure that both MaximumRetention and AccessRetention parameters are updated if either of them is unavailable

If the MaximumRetention or AccessRetention parameter is unavailable, it is updated by using the value in the DefaultRetention parameter.

number is the number of minutes, hours, or days. The maximum value is 90.
type is the unit of measure: Minutes (the default), Hours, or Days.

If you do not specify a value for DefaultRetention, 30 Days (the default) is used.

Description text

Description of the project

The description can be up to 31 bytes and is visible to users requesting and approving access to the project.

ESMProfile profileName

(Optional) resource profile containing the access level requirements for the project

Anyone working with this project must have the permissions defined in the specified resource profile.

Users requesting IDs and self-elevation must have READ access.
Managers who will be approving the requests must have ALTER access.

If you omit ESMProfile, the default used is RSM.RSS.projectname, where projectname is the value specified in the PAMProject parameter.

ExpiryNotify type value

(Optional) TSO user ID or email address for project expiry warnings

Use this parameter to notify people when access for any of the project's user IDs is about to expire. First choose the method of notification and then fill in the details:

type, indicates the how the approver is notified.
- EMAIL, specifies the email address of the approver.
- TSO, specifies the TSO user ID of the approver.
value, contains the corresponding contact information
- For EMAIL, enter the email address of the person you want notified.
- For TSO, enter the TSO user ID of the person you want to notify or one of the following:
  - USER, sends the notification to the PAM user ID requested from the project.
  - REQUESTER, sends the notification to the person who requested the PAM user ID from the project.

You can add multiple ExpiryNotify parameters to add multiple email recipients.

Important

If you configure ExpiryNotify:
- The values entered here appear as default settings on the Confirm PAM Access Request page.
- Modifications made on the Confirm PAM Access Request page override the values configured here.
For more information see, Task 2—To request a user ID.
If you specify EMAIL, PAM uses the value from the EmailProfile block of the RSS server configuration parameters. For the notification process to operate correctly, you must have previously configured these parameters. For more information, see Email Configuration parameters (EMAILDEF).

If the email address is longer than 64 characters, you can enter it in two lines. To enter an email address in two lines, in the first line, specify the parameter with a + sign at its end and enter the first part of the email address. In the second line, specify the parameter again without a + sign and enter the second part of the email address. You can enter 64 characters in each line. So, you can enter an email address of up to 128 characters.

For example:
ExpiryNotify EMAIL+ userName
ExpiryNotify EMAIL @bmc.com

ExpiryTimer number type

Time period before access requests expire that notifications are sent

(Optional) For use with ExpiryNotify, specify the amount of lead time you want for notifications before project IDs expire. The maximum value is 90 days.

number is the number of minutes, hours, or days.
type is the unit of measure: Minutes (the default), Hours, or Days.

If you omit ExpiryTimer, the default value of 5 minutes is used.

LocalAuthenticate resourceProfileName

(Optional) resource profile containing the list of the users permitted to use local authentication

For use in a multisystem configuration, an access level of READ or higher is sufficient to grant this privilege. Users on the list need to enter their password only once and authenticate on the master system to receive access to all systems in the request.

If you omit LocalAuthenticate, users must enter passwords for each system in the request.

MaximumRetention number type

Maximum time to retain access to project resources

Enter the maximum amount of time users can retain their user pool ID or self-elevation privileges.

number is the number of minutes, hours, or days. The maximum value is 90.
type is the unit of measure: Minutes (the default), Hours, or Days.

If the user enters a value in the Duration box when requesting a user ID that is greater than the MaximumRetention value, MaximumRetention takes precedence.

If you omit type, the default Minutes is used.

(SPE2410)If you omit this parameter, its value is loaded from the DefaultRetention parameter.

Mode UserPool|SelfElevation

Access mode for project

UserPool, provides temporary user IDs from a predefined pool.
SelfElevation, provides users the ability to temporarily extend the privileges of their own user ID.

If you omit Mode, the default UserPool is used.

Notify activity emailAddress|CSDATA

(Optional) Sends a notification to the specified email address when the specified project activity occurs

Value

Description

activity

Project activity that the user receives notification for

If you specify any of the following activities, then an email is sent only when its corresponding condition exists:

Activity	Condition
Request	Elevation requested
Approve	Elevation request approved (SPE2407) or refused
Expired	User ID expired
Release	User ID released
Active	User ID active
Cancel	Elevation request canceled
NotAuth	Elevation request not authorized
Sendemail	Sends an email when any of the following conditions exist: Elevation requested User ID released User ID active User ID expired Elevation request not authorized Elevation request canceled (SPE2407)Elevation request approved (SPE2407)Elevation request refused
Sessionend	Sends an email when any of the following conditions exist: User ID released User ID expired Elevation request canceled

If you do not specify an activity, then the default value is Sendemail.

emailAddress

Email address to which the notification email about project activity is sent

PAMvalidates the email address that you specify by checking for an @ character and ignores incorrect email specifications.

CSDATA

Sends the project activity notification to an email address defined in the CSDATA segment

For the notification process to operate correctly when CSDATA is specified, you must have previously configured the EmailCustomField parameter in the EmailProfile block in RSS. For more information, see Email Configuration parameters (EMAILDEF). If the CSDATA segment does not have an email address specified in it, then notification emails are not sent.

Typically, you would enter the project manager's email address to trigger notification to that address from users. To add multiple email recipients, define multiple Notify parameters with the required email addresses.

For example:
Notify userName
Notify @bmc.com

Notify Release+ userName
Notify Release @bmc.com

NotifyURL protocol domain

(Optional) Adds a URL to the notification email that users receive when performing a project activity. The URL redirects users to the BMC AMI Security Logon window. This parameter takes the following values:

protocol is the network protocol that is prefixed in the URL. Specify one of the following values:
- HTTP—The browser creates an insecure connection to the product.
- HTTPS—(Default) The browser creates a secure connection to the product.
domain is the domain name in the URL. Specify one of the following values:
- IP—PAM provides the IP address from the IPAddress parameter (defined in the RSS HTTPServer block). If the IPAddress parameter is not defined, PAM uses the local TCP/IP stack IP address.
- Host—(Default) PAM resolves the IP address to a host name
- hostName—User-specified host name

RACFGroup groupName

(Optional) RACF group associated with the project

Every project has an associated RACF group. For more information, see RACF groups.

If you omit RACFGroup, the default used is the value specified in the PAMProject parameter.

RACFProfile profileName

(Optional) RACF profile containing the access level requirements for the project

Anyone working with this project must have the permissions defined in the specified RACF profile.

Users requesting IDs and self-elevation must have READ access.
Managers who will be approving the requests must have ALTER access.

If you omit RACFProfile, the default used is RSM.RSS.projectname, where projectname is the value specified in the PAMProject parameter.

RestrictRelease Yes|No

Denies a user the privilege of releasing other user IDs that are in the same project

The default is No.

Important

Before you define this parameter, you must define the CSDATAFieldparameter.

SNOWInstance instance

(SPE2407)

ServiceNow instance name used as part of PAM REST API requests.

If your ServiceNow URL is https://companyName.service-now.com, replace companyName with the instance name, which you must provide in the PAM parameter file for REST API access.

SystemList systemName1 systemName2 systemName3 ...

(Optional) Names of servers defined for the project

This parameter applies if you use PAM in a multisystem configuration. Specify one or more servers that user pool or self-elevation IDs associated with the project can access. When a user requests an ID from the project, their authorization to access these servers is verified.

You must make sure that all servers defined for this parameter are also defined in the PAMServers configuration block.

The total list of systems for this parameter always includes the local system on which the master instance is installed. You do not need to define it here.

If you omit SystemList, PAM runs as a single-system instance.

TSSProfile profile

TSS profile associated with the project

This parameter is required for TSS projects. For more information, see TSS profiles.

UniversalMode Yes|No

Determines whether PAM should allow a manager to request a project user ID

When you enable this parameter in a project, to use a project user ID, a manager must request and gain approval. The same manager can approve project user ID requests raised by other users in projects to which the manager has access.

User IDs for managers must have ALTER access.

User IDs for users only must have READ access.

You can use this parameter with user pool mode and self-elevation mode projects. UniversalMode is mutually exclusive with the CSDATAField parameter—if you define both these parameters, PAM considers the CSDATAField configuration only and ignores UniversalMode. For more information, see Self-managed projects.

EndPAMProject

Indicates the end of a project definition

PAMServers table

Located on the master PAM instance, the server configuration member uses the following parameters:

Parameter	Description
PAMServers	Indicates the start of the server definitions
name ipAddress portNumber name ipAddress portNumber	Defines the agent system that PAM user IDs can access Enter the name, IP address, and port number of the servers that you want to associate with PAM. The name can be up to 15 characters and does not have to match the actual name of the server. You can repeat this parameter as many times as needed to include all desired systems.
EndPAMServers	Indicates the end of the server definitions

Important

You do not need to define the local system on which the master instance is installed in the PAMServers member. It is included automatically for all users with authorization on the local system.

PAMAgent table

Located on the agent instance, the agent configuration member uses the following parameters:

Parameter	Description
PAMAgent	Indicates the start of the agent definition
name ipAddress	Defines the name and IP address of the local agent system Enter the name and IP address of the system that PAM user IDs will access. The name can be up to 15 characters and must match the name of a system defined in the master (PAMServers block).
port portNumber	Defines the port number for the local agent system The number must match the port number defined in the master (PAMServers block) for the specified IP address.
EndPAMAgent	Indicates the end of the agent definition

Creating and defining the started task

Create a dedicated started task control (STC) user under which the BMC AMI Security Privileged Access Manager started task will run.

To create the started task

Create the STC user ID with the following characteristics:

TSO ID that is less than eight characters
PROTECTED parameter
OMVS segment
Access to the database directory that you created in Updating the global RSS parameters

Additionally, grant the RACF SPECIAL permission to the STC user ID for PAM and make sure that this user ID is restricted from logging into PAM or performing any normal user activities.
With these authorities, the started task can initialize without security issues. If you encounter access errors on startup, contact BMC Support.

To define the started task to RACF

When you define the user associated with the PAM task, you need to configure the started task definition for the environment where you are running PAM.
To make sure that PAM can read through the entire UNIX file system, scan USS files, and detect anomalies, perform either of the following steps:

Grant the PAM STC user ID READ access to the UNIXPRIV class SUPERUSER.FILESYS
Assign the TRUSTED attribute to the STARTED class profile created for PAM

Use the following commands to define the PAM started task to RACF:

ADDUSER <PAMstcUser> NOPASSWORD NOOIDCARD NAME('BMC AMI PAM') -
OWNER(<PAMOwner>) DFLTGRP(<PAMgroupName>) SPECIAL

CONNECT <PAMstcUser> GROUP(<PAMgroupName>) Owner(<PAMOwner>) AUTH(USE) UACC(NONE)
RDEFINE STARTED <PAMATask>.* STDATA(USER(<PAMstcUser>))
RDEFINE STARTED <PAMMTask>.* STDATA(USER(<PAMstcUser>))
SETROPTS REFRESH RACLIST(STARTED)

ALTUSER <PAMstcUser> OMVS(HOME('<PAMpathName>'))
ALTUSER <PAMstcUser> OMVS(PROGRAM('/bin/sh'))
ALTUSER <PAMstcUser> OMVS(UID(<PAMuidNumber>) SHARED)

Replace the following placeholders:

<PAMstcUser>—RACF user ID under which the PAM started task runs
<PAMOwner>—RACF owner for the resource
<PAMgroupName>—PAM group name to which the RACF user ID belongs
<PAMATask>—Name of the PAM agent procedure
<PAMMTask>—Name of the PAM master procedure
<PAMpathName>—USS home directory for the stcUser
<PAMuidNumber>—User identifier value in the OMVS segment

Configuring after installation

PAMProject table

PAMServers table

PAMAgent table

Creating and defining the started task

To create the started task

To define the started task to RACF

On this page