How to assign our LDAP user groups with very specific permissions in ITPAM


Article ID: 220784


Updated On:


CA Process Automation Base


We would like to assign some of our users with very specific permissions within ITPAM, such as only able to perform reporting, or only able to import or export.  We have created LDAP user groups for this purpose have assigned users to these LDAP groups.  We would like to know how to assign specific ITPAM permissions to these LDAP user groups.


Release : 4.3

Component : CA Embedded Entitlements Manager


For each global group in Active Directory, the idea will be to add that group to the necessary Access Policies for the Process Automation product within EEM so that they are able to perform the necessary functions.  For example, to grant login access, you’d add the groups to the PAM40 User Login Policy, like this:

(btw, all your groups will need to be granted this permission)

The master-list of permission policies is here:

So, the idea will be to go down the list for each group, think through “a day in the life” of a user in that group, and identify which of those policies will be needed to allow a user in that group to accomplish the job you want them to perform.