Dynamic Group Policy to enable PamUsers level permissions for everyone in Active Directory.

Document ID : KB000019573
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

By default CA Process Automation requires that users that need access into Process Automation be manually added to the appropriate policy group in EEM. Using a Dynamic Group Policy you can create a default permission set that is applied to users automatically.

The following information is taken from an EEM r12 installation, but the steps apply to the earlier 8.4 as well. This information requires that EEM be connected to your external directory and shows how to give all users permission equivalent to the 'pamusers' policy group. This can be refined and altered many different ways, from limiting the Dynamic group to a select Directory Group to specifying a limited set of the 'pamadmin' policy permissions. Please see the 4.x Content Administrator Guide under Administer Advanced CA.

EEM Security for more information.

Solution:

  1. Log in to the Process Automation Application in EEM as the EiamAdmin user.
  2. On the Manage Access Policies tab:

    1. Click the small Create New Policy icon to the left of the Dynamic User Group Policies folder.
    2. Enter a Name and Description.
    3. Change Type from Access Policy to Identity Access Control List.
    4. Place a Check in the 'belong' box under Selected Identities
    5. In the Add resources box at the bottom of the page enter the exact Name given in step 1 and click the +plus button.
    6. Save. The results should match this image:

      Figure 1
  3. Once the Dynamic Group is setup you must configure it to have the required Policies. In this case we are simply going to match the PamUser Access policies.

    The Access Policies that pamuser is associated with are, Environment, Library Browser, Operations, Product User, and Reports.

    To add the Dynamic Group to an Access Policy, using Environment as an example:

    1. Click on Environment under Access Policies, then Click on PAM40 Environment Policy
    2. In the Enter / Search Identities area, select Dynamic Group from the drop down
    3. Search for the Dynamic Group policy
    4. Click the Down Arrow to add this policy to Selected Identities
    5. Check any permissions that match the desired permissions for PamUsers
    6. Save the modified Policy.

      Figure 2
  4. Duplicate the above steps for each of the remaining Access Policies: Library Browser, Operations, Product User, and Reports

    This configuration can take time to be available due to EEM caching login information, during which time some users may not be able to access PAM at all. Restart both Process Automation Orchestrator Service, and the EEM iTechnology iGateway service to enable this immediately.

    If you want to only allow members of a certain Global Group instead of all LDAP users, then follow the above steps, but select Type "Global Group" instead of "Users" when creating the dynamic group. Do not check the "belong" check box for Default, but instead type the group name in the Identity field and hit the Blue arrow to add this to the Selected Identities. Finally check the corresponding "belong" checkbox for your LDAP group.

    Figure 3