By default CA Process Automation requires that users that need access into Process Automation be manually added to the appropriate policy group in EEM. Using a Dynamic Group Policy you can create a default permission set that is applied to users automatically.
This information requires that EEM be connected to your external directory and shows how to give all users permission equivalent to the 'pamusers' policy group. This can be refined and altered many different ways, from limiting the Dynamic group to a select Directory Group to specifying a limited set of the 'pamadmin' policy permissions. Please see the 4.x Content Administrator Guide under Administer Advanced CA EEM Security for more information.
Save. The results should match this image:
3. Once the Dynamic Group is setup you must configure it to have the required Policies. In this case we are simply going to match the PamUser Access policies.
The Access Policies that pamuser is associated with are, Environment, Library Browser, Operations, Product User, and Reports.
To add the Dynamic Group to an Access Policy, using Environment as an example:
A. Click on Environment under Access Policies, then Click on PAM40 Environment Policy
B. In the Enter / Search Identities area, select Dynamic Group from the drop down
C. Search for the Dynamic Group policy
D. Click the Down Arrow to add this policy to Selected Identities
E. Check any permissions that match the desired permissions for PamUsers
Save the modified Policy.
4. Duplicate the above steps for each of the remaining Access Policies: Library Browser, Operations, Product User, and Reports
This configuration can take time to be available due to EEM caching login information, during which time some users may not be able to access PAM at all.
Restart both Process Automation Orchestrator Service, and the EEM iTechnology iGateway service to enable this immediately.
If you want to only allow members of a certain Global Group instead of all LDAP users, then follow the above steps, but select Type "Global Group" instead of "Users" when creating the dynamic group. Do not check the "belong" check box for Default, but instead type the group name in the Identity field and hit the Blue arrow to add this to the Selected Identities. Finally check the corresponding "belong" checkbox for your LDAP group.