Configuring EEM Policy for Read-Only Access in Process Automation (ITPAM)
search cancel

Configuring EEM Policy for Read-Only Access in Process Automation (ITPAM)

book

Article ID: 439135

calendar_today

Updated On:

Products

CA Process Automation Base

Issue/Introduction

Need an EEM policy that can be assigned to a global LDAP/AD group to provide below privileges within ITPAM to all users belonging to that group:

  • Able to login to ITPAM and see Home, Library and Designer tabs
  • Library Tab - Read-only access on below folders and their contents (sub-folders & files)
    • Dataset
    • Production
  • Within the ITPAM UI
    • Should NOT be able to create any new files/folders either by "New" or "Copy" actions
    • Should NOT be able to delete, rename, move, import or export existing files/folders
    • Should NOT be able to activate or deactivate any schedules
    • Should NOT be able to check-in, check-out and edit any files
    • Should NOT be able to start any runbooks
    • Should be able to open visible files in "Designer" view Designer page
    • Should be able to view the Dataset and runbook files

Environment

CA Process Automation (ITPAM) 4.x, integrated with LDAP/Active Directory
CA Embedded Entitlements Manager (EEM) 12.x

Resolution

To provide read-only access to specific folders and subfolders while preventing modification or execution of runbooks, follow these configuration steps in CA EEM:

1. Create a Custom Group

  1. In CA EEM, navigate to the ITPAM application.
  2. Create a Custom Group (i.e. PAM_ReadOnly_Group)
  3. Add this custom group to the PAM Users group. This ensures members have basic login privileges and minimum read-only rights for all UI tabs (Home, Library, Designer)

2. Configure the Object Access Policy

  1. Go to Policies and select Object Access Policy
  2. Create a new Explicit Grant Policy.
  3. Under Identities, select the Custom Group created
  4. Under Access Policy Configuration, define the resources using the following format to include subfolders and files:
    • /Dataset
    • /Dataset/*
    • /Production
    • /Production/*
  5. Set the Permissions to include only Object List and Object Read. Do NOT select permissions such as Create, Delete, Move, Start or Check-in/Check-out.
  6. Save the policy.

3. Validation

  1. Add the required users (or global AD groups) to the custom group created in EEM
  2. Synchronize the EEM cache or wait for the default update interval (30 minutes)
  3. Log in as a test user. The user should:
    • See only the /Dataset and /Production folders in the Library
    • Be unable to create, delete, rename, or move any objects
    • Be unable to start runbooks or modify schedules
    • Be able to view files in the Designer tab but not edit or check them out

Additional Information

For more details on default roles and permissions, refer to the CA Process Automation Documentation

Powered by Wolken Software