Manage Access for Referenced User Accounts

Administer Basic CA EEM Security › Manage Access for Referenced User Accounts

Manage Access for Referenced User Accounts

If you reference an external user store during CA EEM installation, global groups and user accounts are automatically loaded into CA EEM. CA Process Automation allows the loading of up to 10000 accounts with a configurable parameter that extends the CA EEM setting of 2000. For information about customizing this setting, see Set Maximum Number of CA EEM Users or Groups.

The user accounts from a referenced external user store are loaded as read-only records. If a new user needs an account, create it in the external user store. The new record is automatically loaded. You can provide access to CA Process Automation at either the global group level or the global user level.

You configure CA EEM to grant access to CA Process Automation and its components, but the referenced user store manages authentication. To log in to CA Process Automation, the global users with login access use the user name and password (or the principal name and password) in the referenced user store.

Note: You cannot use CA EEM to update the user records stored in an external user store.

To manage access for users with accounts stored in an external user store, consider the following approaches.

Add an application group to each global user account.
Search for each global user by name. Assign one of the default application groups (PAMAdmins, Designer, Production Users, or PAMUsers) or a custom group to the global user account. You can also create global groups and add selected global users to them.

Important! Always enter criteria when searching to avoid displaying all entries in an external user store.
Add a global group to CA Process Automation access policies, then select the actions to grant.
Specifically, add the global group to the predefined policies that provide the access you want all users in the group to have. For example, add the global group to the PAM40 User Login Policy to let all global users in that group log in to CA Process Automation. To give access to the Designer tab, add the group to the PAM40 Designer Policy.
Create a dynamic group that consists of selected global users or global groups. Custom application groups can be added to a dynamic group.
Follow the documented procedure Integrating Active Directory with CA EEM.
This procedure gives all users in your AD full access to CA Process Automation without any configuration in CA EEM. While easy to implement, it lacks the security of role-based access.

Important! For third-party LDAP servers, configure the following parameter under the ou=system context level:

ou=Global Groups

More information:

Assign an Application Group to a Global User

Create a Dynamic User Group Policy