Previous Topic: Granting Administrators Access to CA EEMNext Topic: Customizing User Access with CA EEM Policies

Administer Advanced CA EEM SecurityGranting Administrators Access to CA EEMGrant CA EEM Access to Selected Administrators

Grant CA EEM Access to Selected Administrators

CA EEM access is required to manage user accounts, groups, and policies. By default, you must know the EiamAdmin password to log in to CA EEM with the application set for CA Process Automation. Typically, knowledge of this password is highly restricted because the EiamAdmin user has full control of CA EEM. However, the EiamAdmin user can grant CA EEM login access to other administrators and can specify the objects that they can manage. The following procedure shows how to grant to selected administrators the ability to manage user accounts, groups, and policies. This procedure includes defining a new group, creating a custom policy for the group, and assigning the group to user accounts.

Follow these steps:

  1. Browse to CA EEM and log in.
  2. Create EEMAdmins, an CA EEM administrators group, members of which can create user accounts, custom groups, and custom policies.
    1. Click the Manage Identities tab.
    2. Click Groups.
    3. Click New Application Group.
    4. Enter a name for the group (for example, EEMAdmins).
    5. (Optional) Add a description.
    6. Click Save.

    Note: Do not select an Application Group.

  3. Create a policy that grants the ability to create user accounts, custom groups, and custom policies. Assign EEMAdmins as the identity for this policy.
    1. Click the Manage Access Policies tab.
    2. Click Scoping Policies.
    3. Click the link to Administer Objects.
    4. Click Save As and enter a name for this policy (for example, Administer Users and Policies)
    5. Click OK.
    6. Select [User] EiamAdmin and [User] CERT-application-name from the Selected Identities list, and then click Delete.
    7. Click Search Identities for Type Group, and then click Search.
    8. Select the new group (EEMAdmins) and click the right arrow to move the user group (ug) to Selected Identities.
    9. Select and delete all of the resources except ApplicationInstance, Policy, User, UserGroup, GlobalUser, GlobalUserGroup, and Folder.
    10. Verify that the read and write actions are selected.
    11. Click Save.

    Your policy resembles the following example:

    Example EEM policy for ProcAutoAdmins

  4. Add the EEMAdmins group to the user accounts of selected administrators:
    1. Click the Manage Identities tab.
    2. Click Application User Details for Search Users.
    3. Select Group Membership as the attribute, LIKE as Operator, and PAMAdmins as Value.
    4. Click Go.

      The CA Process Automation administrators are listed.

    5. Click the name of an administrator.

      The user account of the selected administrator opens. EEMAdmins is displayed as an available user group.

    6. Click the right arrow to move EEMAdmins to Selected User Groups.
    7. Click Save.
  5. Repeat Step 4 for each administrator to whom to grant CA EEM rights.