Using

This topic describes tasks that you can perform using the BMC AMI Security Privileged Access Manager product:

Task 1—To log on to PAM

Your system might vary depending on the installed products.

  1. In a web browser, enter https://systemName:port , substituting the values as determined by your installation and the RSS configuration.

  2. In the BMC AMI Security Logon window, enter your user ID and password and click Log On.
    The Product Selection menu appears.

    Important

    If you do not have the required level of authority to log on to RSS, your connection might be rejected, even if your user ID and password are correct.

  3. Click the PAM Launch button. 
    The PAM dashboard displays the projects that you have access to.
    (SPE2410)The footer of the PAM UI displays information such as the current user ID, the product name, and the current release and version details.
    PAMdashboard_v2.4_Apr2024.png

PAM dashboard

You can use the buttons at the top of the dashboard to perform the following actions:

Button

Action

Menu

Return to the Product Selection menu

Refresh status

Display the latest project statuses

Status report

Display the status of elevation requests

Sort projects

Sort projects and requests based on the selected option

Log Off

Exit PAM and the BMC AMI Security product group

PAM projects

Each project has its own status table that lists the user IDs assigned to that project.
The project status table provides the following information:

Column

Description

UserID

Unique identifier of the temporary user ID to which special privileges are assigned

For user pool projects, all user IDs in the pool are displayed. For self-elevation projects, only user IDs currently upgraded with special privileges are displayed.

User Description

Taken from the NAME field of the user profile

State

Current state of the user ID

State

Scenario

Ready

The user ID is available for use.

Pending

The user ID was requested and is waiting for approval by a manager.

AcceptWait

The request was approved by a manager and is waiting for the user to accept the approved request.

WindowWait

The user who requested the user ID clicked Accept and is now waiting for the ID's access window to start.

PasswordWait

An approved user ID is waiting for the user who requested it to set the temporary password. This status appears if one of the following conditions exists:

  • A user accepts the approved request but closes the Generate PAM Password window before setting a temporary password.
  • The user ID was in the WindowWait status and now that the access window has started, the user who requested the ID must set a temporary password.

ConflictingStatus

The status of one or more systems is different from the other systems

(Multisystem configurations only) The requested ID is for multiple systems, but one or more of the following conditions exists:

  • The user is not authorized on one or more systems.
  • The user input the wrong password for one or more systems.
  • The temporary password is invalid for the user ID.
  • One or more of the systems is currently down.

Upgrading

A user is waiting for approval by a manager after requesting a temporary self-elevation of their own user ID.

InUse

The user ID is assigned or upgraded and is unavailable to other users.

Change or Incident ID

Manually entered string associated with a pending or active request

Important

This can be an open string or configured to require specific characters.

Comment

Displays the text that you entered in the Comment box on the Confirm PAM Access Request modal window that appeared when you requested the project user ID

Current Status

Description of the current state of the user ID generated by the system

Expires

Date and time when the user ID will be released

Action

Button that enables you to take the next action

The button changes depending on the State of the user ID.

Action buttons

The following function buttons can appear next to a row in the table, depending on the user level and state of the user ID:

Function

Description

User level

Request

Request a temporary user ID or self-elevation.

User

Approve

Approve a user request.

Manager

Accept

Accept an approved user ID or self-elevation.

User

View

View the date and time at which an approved and accepted user ID request with an access window will be availabile for use.

Both

View Status

(Multisystem configurations only) View the status of requested systems when there is a conflict (see State, ConflictingStatus). You can take action on any active systems for which you have authorization.

Both

Set Password

Set a temporary password to begin using the user ID.

User

End Session

Release a temporary user ID or self-elevation.

Both

Session Settings

(SPE2501)

Reset the password of a user pool user ID without releasing it.

User

Self-elevation projects and concurrent mode

When checking the status table of self-elevation projects, you might see the state Another non-concurrent project is already active.

This can occur when a self-elevation project is already active and one of the following conditions is true:

  • The active project was configured with ConcurrentMode = False.
  • The user tries to access a new self-elevation project that is configured with ConcurrentMode = False

For more information about ConcurrentMode, see Configuring-after-installation.

Task 2—To request a user ID

This procedure is the same for both user ID pool and self-elevation projects.

  1. Locate the project that you want to access.
  2. Click Request to the right of the table row containing the required user ID. Self-elevation projects have a single row only.
    The Confirm PAM Access Request dialog box appears.
  3. (SPE2410) (Multisystem configurations only) The Select Systems pane displays all online systems under the All Online Systems collapsible panel and offline systems under the All Offline Systems collapsible panel. Select one or more systems to access with the user ID:
    • Select all: Click to access all of the systems in the list.
    • Clear All: Click to clear the selections.
    • Select all Online: Click to access all the online systems.
    • Select all Offline: Click to access all the offline systems.
    • Select the relevant checkbox to individually select the required system. 
  4. (Optional) Decide on a timeframe for using the ID:
    • For immediate access upon activation for the specified days, hours, or minutes, select (SPE2407) Access Retention (Before SPE2407–Access Duration). The maximum duration that you can select is two years.
    • To provide access to the ID for a specific period only or for some time in the future, select Access Window. You must specify both a start date and time, and an end date and time.
  5. Enter the Change or Incident ID, from 1 to 15 characters, that you want to associate with the request.
    (SPE2407) You can select a prefix from the list that is generated based on the ChangeIDPrefix parameter.
  6. (Optional) In the Comment box, enter a textual description of the change (up to 128 characters).
    The text that you enter in the Comment box is displayed in the RSS audit log and it is prefixed by the text Comment:
  7. (SPE2501) (Optional) 

    In the ServiceNow User and ServiceNow Password boxes, enter a valid ServiceNow user ID and password.

    • If PAM successfully validates the entered credentials with ServiceNow, PAM stores these credentials for future validations. You do not have to enter the ServiceNow credentials the next time you request a user ID.
    • If PAM failed to validate the entered credentials, it displays the following error message and requests for the credentials again.:
      SNOW Validation: User Not Authenticated
  8. (Optional) To receive notification before access for the user ID is about to expire, select Send Expiry Notification.
    The dialog box expands to present additional options.
  9. Modify the Expiry Notification options as required:
    • Expiry Timer specifies the time between the notification and the user ID expiration. The maximum is 90 days.
    • Recipient defines the email address or TSO user ID for notification. Select the type from the list and enter the address or ID in the box.
    • Click Add New Recipient to add additional email or TSO recipients.
    • To remove a recipient, delete their email or TSO user ID. If the fields are empty, they are not processed.
  10. (Optional) To receive notification when the request is approved or rejected, select Send Approval Notification. This applies only to requests that require manager approval.
    The dialog box expands to present a box in which you can add the email address to which the notification should be sent.
  11. In the Email Recipient box, enter an email address:
    • You can enter only a single email address.
    • If you leave this box empty, the address defined for the EmailCustomField parameter of the EmailProfile configuration member for BMC AMI Resident Security Server is used. For more information about the EmailCustomField parameter, see Email Configuration parameters (EMAILDEF).
    • If no address is defined for the EmailCustomField parameter and you leave this box empty, no email is sent.

  12. Click Submit.

    Does the request require approval?

    What happens next

    Yes

    The dashboard updates the State to Pending, and the Current Status to Pending approval for the user making the request. It remains in this state until the request is approved.

    No

    If the user ID is from a user pool project, the Generate PAM Password dialog box is displayed. Proceed to Task 5—To set a password for user pool IDs.

    If the user ID is from a self-elevation project, you can begin using your elevated rights.

    (Multisystem configurations only) For both user pool and self-elevation projects, if the user ID state changes to ConflictingStatus:

    • View Status button appears to the right of the table row.
    • When you click View Status, the Environmental Status dialog box appears displaying the statuses of the systems included in the request. 
    • Set Password buttons appear only next to systems that are available. Proceed to Task 5—To set a password for user pool IDs.

Task 3—To approve a pending user ID request

This procedure is slightly different in a multisystem configuration.

  1. Click Approve to the right of the table row containing the required user ID.
    Depending on the project type, the Authorize PAM Access Request (user pool ID) or Authorize PAM Upgrade Request (self-elevation) dialog box appears.
  2. Review the details of the request.
    (Multisystem configurations only) You can see the list of systems for which the user has requested access, but you cannot modify the selections.

  3. (Optional) Modify the timeframe for using the ID. The option that appears depends on the format selected by the user who submitted the request.

    • (SPE2407) Access Retention (Before SPE2407–Access Durationprovides immediate access upon activation for the specified days, hours, or minutes.
    • Access Window provides access for a specific period only. You must specify both a start date and time, and an end date and time.

    Important

    Modifying the timeframe triggers email notifications to anyone configured to receive them using the Send Expiry Notification box. The change might appear in the Audit Log and Syslog, depending on the configuration of your organization. For more information, see Task 2—To request a user ID, substep 7.

  4. In the Password for box next to your user ID, enter your password.(Multisystem configurations only) You must enter a password for each system in the request. You can enter them individually or duplicate them by clicking Duplicate Password.

    To automatically generate a random password, you must have already defined the AutoGeneratedPassword parameter.

    You can copy your password (autogenerated or manually entered) to the clipboard by clicking Copy password. To enable the Copy password button, the browser connection must be secured by using Application Transparent Transport Layer Security (AT-TLS).

  5. To authorize the request, click Approve. The dashboard updates the State of the selected user ID to Approved and the Current Status to Pending acceptance.
  6. To reject the request, click Refuse.
  7. To exit the dialog box without making any changes, click Close.

Approving requests

Most access requests require approval.

  • Only manager-level users can approve requests. 
  • Requests awaiting approval are in the Pending or ConflictingStatus state.
  • Projects enabled with email notification inform the manager (approver) that a request is pending.
  • Those with the appropriate access can see at any time which user IDs need approval by logging on to the dashboard.

You can use the Approver parameter, when creating a PAM project, to automatically notify the specified approver when a request is pending. For example, if you enter the email address of your support mailbox, the request can be approved by one of many available approvers. For more information about the Approver parameter, see Configuring-after-installation.

Approving requests in a multisystem configuration

The options that you are presented with change according to the available systems.

  • If the request is in a conflicted status, a View Status button appears to the right of the table row instead of an Approve button.
  • When you click View Status, the Environmental Status dialog box appears displaying the statuses of the systems included in the request.
  • Approve buttons appear next to any systems that are available to be approved.

Task 4—To accept an approved user ID

After a manager approves a user ID request, users refreshing their dashboard see that the button to the right of the row has changed.

This procedure is slightly different in a multisystem configuration.

  1. Click Accept next to the table row containing the user ID.
    • If the user ID is from a user pool, the Generate PAM Password dialog box appears. Proceed to Task 5—To set a password for user pool IDs.
    • If the request uses an Access Window and the start time has not begun, a message appears telling you when the window starts. To exit the message, click Close. The Accept button changes to View until the start of the access window. When the access window starts, the button changes to Set Password. Proceed to Task 5—To set a password for user pool IDs.
    • If the user ID is for self-elevation, the Confirm PAM Upgrade dialog box appears.

  2. Enter your password.
    (Multisystem configurations only) You must enter a password for each system in the request. You can enter them individually or duplicate them by clicking Duplicate Password.

    To automatically generate a random password, you must have already defined the AutoGeneratedPassword parameter.

    You can copy your password (autogenerated or manually entered) to the clipboard by clicking Copy password. To enable the Copy password button, the browser connection must be secured by using Application Transparent Transport Layer Security (AT-TLS).

  3. Perform one of the following steps:
    • To accept the user ID, click Submit. The dashboard updates the State of the selected user ID to InUse and the Current Status to In Use by for the user who requested the ID.
    • To cancel the request and return the user ID unused, click Cancel Request.
    • To exit the dialog box without making any changes, click Close.

Accepting an approved user ID

Notifications can be set for approved requests.

  • If the project is enabled with email notification, the user receives an email that the request is approved.
  • If the user specified an email address in the Send Approval Notification box when submitting the request, the email recipient is notified if the request was approved or rejected. For more information, see Task 2—To request a user ID, substep 8.

Accepting an approved user ID in a multisystem configuration

The options that you are presented with change according to the available systems.

  • If the request is in a conflicted status, a View Status button appears instead of an Accept button.
  • The request that is in a conflicted status is highlighted in orange and its State is displayed as ConflictingStatus.
  • When you click View Status, the Environmental Status dialog box appears displaying the statuses of the systems included in the request. 
  • Accept buttons appear next to all systems. But for an unavailable system, the Accept button is dimmed and the system is highlighted in red.

Task 5—To set a password for user pool IDs

When you submitted your user ID request, you clicked one of the following buttons:

  • Submit, if the user ID is from a project with automatic approval
  • Accept, if the user ID is from a project that requires a manager's approval
  • Set Password, if the user ID is from a project that requires a manager's approval and you defined an Access Window for the request, or (Multisystem configurations only) if the user ID is in a conflicted status. You can set the password for an online system only.

The Generate PAM Password dialog box appears.

To begin using the elevated rights of your temporary user ID, you need to set a password for the ID.

(Multisystem configurations only) You must enter a password for each system in the request. You can enter them individually or duplicate them by clicking Duplicate Password.

If you have the AutoGeneratedPassword parameter enabled, perform the following steps:

  1. In the Password Entry for userID box, enter the password for your logon user ID and click Submit.

  2. In the New Password for userID box, enter a new password for the project user ID and click Submit.
    To automatically generate a random password, you must have already defined the AutoGeneratedPassword parameter.

    You can copy your password (autogenerated or manually entered) to the clipboard by clicking Copy password. To enable the Copy password button, the browser connection must be secured by using Application Transparent Transport Layer Security (AT-TLS).

To cancel the request and return the user ID unused, click Cancel Request.

To exit the dialog box without making any changes, click Close.

If you do not have the AutoGeneratedPassword parameter enabled, perform the following steps:

  1. In the Password for box, enter your password.
  2. In the New Password for box, enter the temporary password for the user ID.
    You can copy your password (autogenerated or manually entered) to the clipboard by clicking Copy password. To enable the Copy password button, the browser connection must be secured by using Application Transparent Transport Layer Security (AT-TLS).
  3. In the Confirm New Password for box, confirm the temporary password for the user ID.
  4. Perform one of the following actions:
    • To begin using the ID, click Submit.
    • To cancel the request and return the user ID unused, click Cancel Request.
    • To exit the dialog box without making any changes, click Close.

The dashboard updates the State of the selected user ID to InUse and the Current Status to In Use by your ID, as the user who requested the ID. If the user ID is from a project that is enabled with email notification, the manager who approved the request receives an email that the ID was accepted. You can now begin using your elevated rights.

The password is valid only for the time defined in the user ID request after the user has set the password and activated the user ID. When the time period expires or if the request is released, the password is reset to an unknown value. If REVOKE was specified for the AccessRetention parameter in the PAM configuration member, the user ID is flagged as revoked when not in use. For more information, see Administering.

Task 6—To release a user ID

All user IDs have a defined duration. When the duration expires, the IDs are revoked automatically. If a task is completed early, you can release the user ID back into the pool or project.

  1. To the right of the table row containing the user ID that you want to return, click one of the following buttons:

    • If you are using a self-elevated user ID, click End Session.
    • (SPE2501) If you are using a user pool user ID, click Session Settings. On the subsequent Session Settings modal window, click End Session.
      The Session Settings button is displayed for user pool user IDs only.

    (Multisystem configurations only) To end a user ID session in a multisystem configuration, you must click Select all to select all online systems.
    The Confirm PAM Access Release of dialog box appears.

  2. Perform one of the following actions:
    • To release the ID back into the pool or project, click Submit.
    • To exit the dialog box without releasing the ID, click Close.

The button to the right of the row changes from End Session or Session Settings to Request.

If the user ID is from a project that is enabled with email notification, the manager who approved the request receives an email that the ID was released.

(Multisystem configurations only) Session Settings and End Session buttons might also appear in a View Status dialog box for user IDs with multiple systems.

Important

Clicking End Session next to one system in the View Status dialog box or in the Session Settings modal window releases the entire user ID and cancels the request.

Task 7—To resolve a conflicting status (Multisystem configurations only)

When you work across multiple systems, sometimes systems are unavailable or a request to access a system fails. PAM tracks the state of both local and remote systems. If a system reports an unexpected status, the Dashboard displays a ConflictingStatus state.

  1. Click View Status next to the user ID and open the Environmental Status dialog box in which you can view the statuses of each system included in the request. 
  2. Use the Action buttons Approve (for managers), Accept or Set Password (for users) to continue with the request. 
  3. Click Request to retry systems that have failed elevation. 
  4. Contact the system administrator for any systems that continue to fail. Either the system is down or the user does not have authorization for that system.

Task 8—To sort projects

If you are maintaining numerous projects that have multiple user IDs, then it can be difficult to find the required project from the list of projects in the dashboard. You can sort the view of your projects by using the project sorting feature.

To use this feature, click Sort projects at the top of the dashboard and select an option from the list.

The status tables are rearranged and the projects that satisfy the selected condition move to the top of the list.

The sort project feature sorts tables alphabetically.

Select one of the following options to move the indicated projects or requests to the top of the list:

Option

Projects or requests

Available for Request

Projects with user IDs available for request

Pending approval

Requests awaiting approval

Pending window

Approved user ID requests that are waiting for their requested window to start

Pending accept

Projects with user IDs approved by the manager and that are not accepted by the user

Awaiting password

Requests that are accepted but are pending for a user to set the password

In use

Projects with user IDs that are in use

Conflicting

Requests made for user IDs that have a conflicting status across multiple systems

Important

The Conflicting sort option displays results only if you have a minimum of two systems that have different states. If a request has two systems of which one is in InUse state and the other has failed, then the request appears at the top of the list when you select either In use or Conflicting options.

All actionable requests

Projects with user IDs that a user can perform an action on

This includes requests, approvals, releases, and so on.

Important

All actionable requests shows a combination of results of Available for Request, Pending approval, Pending window, Pending accept, Awaiting password, In use, and Conflicting.

All active requests

Requests that are not in Ready state

Displays all requests that are raised.

Important

All active requests shows a combination of results of Pending approval, Pending window, Pending accept, Awaiting password, In use, and Conflicting.

Default

Displays the list of projects in its default view as defined in the PAM parameters. You can use this option to reset project sorting.

The selected project sorting option applies for the whole session, so you don't need to keep using the sort feature to approve multiple requests.

Additionally, you can use the project sorting feature to perform the following tasks:

Task

Action

Sort a column in the status table in ascending or descending order.

On the status table, click the arrow in the column header.

Search for a string in the table and filter the table according to the string that you searched.

Enter the string in the Search box above the status table.

Select the number of entries to be displayed in the status table.

Click the Show entries box above the status table and select the required number of entries to be displayed.

Select 10, 25, or 50.

If the total number of entries for a project exceeds the number of entries displayed on a tab, click the tab number or Next or Previous to display the entries available on the next or previous tabs.

Task 9—To view a status report

You can view the status of the elevation requests by using the status report feature. To use this feature, click Status Report at the top of the dashboard and select one of the following options:

  • Active Requests—Displays all requests that are not in the Available status
  • All Requests—Displays all requests, including the requests in Available status

After you select an option, the product displays a modal window with a table containing the following information:

Column

Description

Project

Name of the project

User

Requested user ID

User Description

Taken from the NAME field of the user profile

Requestor

User ID that raised the request

Approver

User ID that approved the request

Change or Incident ID

Manually entered string associated with a pending or active request

Important

This can be an open string or configured to require specific characters.

Comment

Displays the text that you entered in the Comment box on the Confirm PAM Access Request modal window that appeared when you requested the project user ID

Current Status

Description of the current state of the user ID generated by the system

Start Time

Date and time when the user ID is available for use

Expiry Time

Date and time when the user ID is released

You can search for any information in the table by using the search box above the table. You can use the buttons above the search box to perform the following actions:

Button

Action

Copy

Copies the table to the user's clipboard

XLSX

Downloads the status report in Excel format

CSV

Downloads the status report in CSV format

PDF

Downloads the status report in PDF format

Important

If you click any of these buttons after performing a sort or search on the table, then the download or copy actions are performed only on the search results and not on the whole table.

Alternatively, you can generate a status report by running the STATUSREPORT command in an MVS console. For more information, see Commands.

An example of the output for this command follows:

RSS0493I Project – projectName                                         

RSS0492I ==========================                                   

RSS0494I ID: requestedUserID State: userState Req: requestorUserID startDate startTime - endDate endTime

RSS0495I    System(s): system1, system2, ...

Task 10—To reset the password of a user pool user ID without releasing the user ID

The Session Settings button is displayed for user pool user IDs only. When a user pool user ID is in use, the Session Settings button is displayed in the Action column to the right of the user ID.

  1. In the Action column of the user ID that you want to reset the password, click Session Settings.
    The Session Settings modal window is displayed, which displays the project name and the selected user ID.
  2. Click Reset Password.
    (Multisystem configurations only) The All Online Systems section in the Session Settings modal window displays all systems to which the user ID has access. All systems are selected by default. Select the required systems and click Reset Password.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*