Getting started

(This topic addresses security administrators. For more information, see Roles-and-permissions.)

BMC AMI Security Privileged Access Manager(PAM) is one of a suite of products that runs under the control of BMC AMI Resident Security Server (RSS).

(SPE2504)To improve performance, reliability, availability, and serviceability for seamless operations, you can enable the high-level manager (RSPAMHLM). Once you enable RSPAMHLM, it starts and manages PAM. For more information, see Running RSS and BMC AMI Security products.

Sometimes, application developers require elevated privileges, which are controlled by external security managers (ESM), like IBM Resource Access Control Facility (RACF), CA Access Control Facility 2 (ACF2), and CA Top Secret Security (TSS), to perform specific application or system changes. For certain critical or sensitive systems, having one or more users with permanent access privileges is a potential security risk.

Application developers who do not have system privileges on a permanent basis can use PAM to request a user ID that has elevated privileges when required. All PAM activity is fully audited and can be associated with change control requests.

You can configure multiple methods for accessing and grouping the temporary system privileges that application developers can request.

User IDs

You can enable two types of user IDs for use in PAM:

Logon user ID—used to log on to PAM, with different levels of access
Project user ID—user ID with elevated privileges to perform specific system changes

Application developers log on to PAM with their logon user IDs. To perform specific system changes, application developers must request and gain approval for a project user ID that is available in a PAM project to which they have access.

User levels

You can enable logon user IDs that support the following levels of users:

User level	Description
Requester	Permitted to request and receive permission to elevate their privileges to perform specific system actions
Manager	Permitted to authorize requests submitted by users
Hybrid	Permitted to request and receive elevated previleges to perform specific system actions, and also to authorize requests sublitted by requesters Hybrid users cannot authorize their own access requests.
Admin	Permitted to view all PAM projects and access requests
Viewer	Permitted to view authorized PAM projects and access requests

PAM determines the user level based on the privileges you assign to a logon user ID. These privileges are controlled by ESM security protections. For more information about ESM security protections, see Administering.

Projects

You can add the user IDs that you create into a project, which are called project user IDs. Users can use these project user IDs with elevated privileges to perform system changes. You can create multiple projects in a single PAM instance for multiple requirements.

Access modes for both user ID pools and self-elevation are arranged in projects.

Example

You can define a project for a system programming activity, such as z/OS maintenance or CICS maintenance. You can associate multiple user IDs with the project and each ID can have different privileges.

You can then define another project with application-level maintenance activities and create a different set of user IDs and privileges for that project.

Users authorized to request access must also be authorized for the project. This allows for a high granularity in controlling the level of access users can request, and for what purpose.

Project modes

You can create the following modes of projects in PAM:

User ID pools
Self-elevation

You can use both modes in a single instance of PAM.

User ID pools

Users get access to a project user ID from a predefined pool. You create user IDs in the ESM database, each of which is assigned the necessary permissions to perform a specific system maintenance role.

IDs in the pool are kept in a revoked state, with an unknown password. When an authorized user wants to perform a controlled function, they receive access to the appropriate user ID from the pool and can set a temporary password. When the authorized user releases the ID or after a preconfigured time, the user ID permissions are revoked and the password is reset to an unknown value.

Self-elevation

Users and managers can have their logon user ID privileges temporarily elevated. You grant them membership to privileged resources (for example RACF groups), each having the necessary permissions to perform a specific system maintenance role.

After a preconfigured time, the privileges are revoked and the user ID is disconnected from the privileged resources.

Request modes

PAMoperates in two request modes:

Automatic—users are automatically given access to the privileged user IDs without any further authorization.
Approval—users must wait until their request is approved by a manager.

Request mode is defined in the configuration parameters for each project. You can define a request mode according to the time, day, or week. For example, requests during office hours can be in Approval mode and requests outside of office hours can be in Automatic mode.

Where to go from here

If you are a system programmer and want to install and configure PAM, see the following topic branches:

To start using PAM to request and grant elevated privileges, see Using.