PIM(SAM) All: remained Privileged Accounts can not delete via GUI

Article Id: 103070
Status: Published
Updated On: 27-06-2018 03:06
Products:
CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)
Issue/Introduction:

Remained huge number, 12200, of Privileged Accounts after expired request.
So, customer deleted requests as manually via GUI. But, it occurred some error and failed delete Account
GUI shows following error at deleting Privilege Account Requests:
Error deleting: Privileged Account Exception Obj:account id:8952, user id:CN=account01,OU=Users,OU=dept,DC=server,DC=local, start date:Wed Aug 30 00:00:00 JST 2017, valid until:Wed Sep 13 14:00:00 JST 2017, approver id:CN=Approver01,OU=Users,OU=dept,DC=server,DC=local, approver comment:, justification:xxxx, account name:account01, account endpoint:Endpoint01, account endpoint type:SSH Device, user name:account01, valid form:30/08/2017 24:00:00, request time:29/08/2017 05:04:24, approval time:30/08/2017 24:01:03, endpoint type:SSH Device, endpoint name: [facility=4 severity=2 reason=0 status=38 message=No items found]

Cause:

The error is caused by deleting AD user as requester.
PIM search requests with user information as LDAP, so it failed to find correct data and failed to delete record.

Environment:

OS: Windows 2012
Prod: CA Privileged Identity Manager r12.8 CF2 or later for SAM
  CDB: MS SQLServer 2012
  User store: ActiveDirectory
 

Resolution:

Please  delete as following steps with direct SQL statement:
* Note:  Please backup to restore all data before these steps.

1. Connect to the ENTM Database.
2. Back up the PRIVILEGED_ACC_EXCEPTION table (Just in case we need to refer for further)
3. Run the below query to fetch the number of records associated with the deleted users by providing the list of usersid's.

select * from [ACENTMDB].[dbo].[PRIVILEGED_ACC_EXCEPTION]
    WHERE ("IS_DELETED"<> 'true' OR "IS_DELETED" IS NULL)
      AND convert(datetime, VALID_UNTIL, 105) < GETUTCDATE()
      AND USER_FRIENDLY_NAME in ('USERID1', 'USERID2', 'USERID3');

4. Run the below query to update the IS_DELETED flag to true by providing list of deleted usersid's.

update [ACENTMDB].[dbo].[PRIVILEGED_ACC_EXCEPTION]
   set IS_DELETED ='true'
    WHERE ("IS_DELETED"<> 'true' OR "IS_DELETED" IS NULL)
      AND convert(datetime, VALID_UNTIL, 105) < GETUTCDATE()
      AND USER_FRIENDLY_NAME in ('USERID1', 'USERID2', 'USERID3');

5. Navigate to Manage Privileged Account Requests page, we wont see these accounts anymore this page.