Always surrogating to root


Article ID: 101563


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)


Sometimes even though the system is configured to use sesu and a surrogation for a certain user, say userA, is authorized for another user, userB, in PIM when userB tries to run a command as userA, the system does instead a sesu to root and it seems to ignore surrogation to userA. If userB does not have permission to the root subrogate, this results in command execution failing. 

We have problems when subrogating to accountA from any user. Access Control interprets the subrogation to resource user.root. not the one that really corresponds to the subrogation.

Why is this so ? 


CA PIM 12.81 build 2666


This is a known problem corrected in releases post 12.81 build 2666. You may apply for instance testfixes T52V287.tar.z or T52V314.tar.z. Contact support to obtain them or an equivalent version that contains the fix for this problem.

Besides applying the actual fixes, the following settings will have to be in place in seos.ini

bypass_suid_program = <path to original su from the system>
old_sesu = no
SystemSu = <path to original su from the system>