PIM(SAM) All: remained Privileged Accounts can not delete via GUI
Article ID: 103070
Updated On:
Products
CA Virtual Privilege Manager
CA Privileged Identity Management Endpoint (PIM)
CA Privileged Access Manager (PAM)
Issue/Introduction
Remained huge number, 12200, of Privileged Accounts after expired request.
So, customer deleted requests as manually via GUI. But, it occurred some error and failed delete Account
GUI shows following error at deleting Privilege Account Requests:
Error deleting: Privileged Account Exception Obj:account id:8952, user id:CN=account01,OU=Users,OU=dept,DC=server,DC=local, start date:Wed Aug 30 00:00:00 JST 2017, valid until:Wed Sep 13 14:00:00 JST 2017, approver id:CN=Approver01,OU=Users,OU=dept,DC=server,DC=local, approver comment:, justification:xxxx, account name:account01, account endpoint:Endpoint01, account endpoint type:SSH Device, user name:account01, valid form:30/08/2017 24:00:00, request time:29/08/2017 05:04:24, approval time:30/08/2017 24:01:03, endpoint type:SSH Device, endpoint name: [facility=4 severity=2 reason=0 status=38 message=No items found]
So, customer deleted requests as manually via GUI. But, it occurred some error and failed delete Account
GUI shows following error at deleting Privilege Account Requests:
Error deleting: Privileged Account Exception Obj:account id:8952, user id:CN=account01,OU=Users,OU=dept,DC=server,DC=local, start date:Wed Aug 30 00:00:00 JST 2017, valid until:Wed Sep 13 14:00:00 JST 2017, approver id:CN=Approver01,OU=Users,OU=dept,DC=server,DC=local, approver comment:, justification:xxxx, account name:account01, account endpoint:Endpoint01, account endpoint type:SSH Device, user name:account01, valid form:30/08/2017 24:00:00, request time:29/08/2017 05:04:24, approval time:30/08/2017 24:01:03, endpoint type:SSH Device, endpoint name: [facility=4 severity=2 reason=0 status=38 message=No items found]
Cause
The error is caused by deleting AD user as requester.
PIM search requests with user information as LDAP, so it failed to find correct data and failed to delete record.
PIM search requests with user information as LDAP, so it failed to find correct data and failed to delete record.
Environment
OS: Windows 2012
Prod: CA Privileged Identity Manager r12.8 CF2 or later for SAM
CDB: MS SQLServer 2012
User store: ActiveDirectory
Prod: CA Privileged Identity Manager r12.8 CF2 or later for SAM
CDB: MS SQLServer 2012
User store: ActiveDirectory
Resolution
Please delete as following steps with direct SQL statement:
* Note: Please backup to restore all data before these steps.
1. Connect to the ENTM Database.
2. Back up the PRIVILEGED_ACC_EXCEPTION table (Just in case we need to refer for further)
3. Run the below query to fetch the number of records associated with the deleted users by providing the list of usersid's.
select * from [ACENTMDB].[dbo].[PRIVILEGED_ACC_EXCEPTION]
WHERE ("IS_DELETED"<> 'true' OR "IS_DELETED" IS NULL)
AND convert(datetime, VALID_UNTIL, 105) < GETUTCDATE()
AND USER_FRIENDLY_NAME in ('USERID1', 'USERID2', 'USERID3');
4. Run the below query to update the IS_DELETED flag to true by providing list of deleted usersid's.
update [ACENTMDB].[dbo].[PRIVILEGED_ACC_EXCEPTION]
set IS_DELETED ='true'
WHERE ("IS_DELETED"<> 'true' OR "IS_DELETED" IS NULL)
AND convert(datetime, VALID_UNTIL, 105) < GETUTCDATE()
AND USER_FRIENDLY_NAME in ('USERID1', 'USERID2', 'USERID3');
5. Navigate to Manage Privileged Account Requests page, we wont see these accounts anymore this page.
* Note: Please backup to restore all data before these steps.
1. Connect to the ENTM Database.
2. Back up the PRIVILEGED_ACC_EXCEPTION table (Just in case we need to refer for further)
3. Run the below query to fetch the number of records associated with the deleted users by providing the list of usersid's.
select * from [ACENTMDB].[dbo].[PRIVILEGED_ACC_EXCEPTION]
WHERE ("IS_DELETED"<> 'true' OR "IS_DELETED" IS NULL)
AND convert(datetime, VALID_UNTIL, 105) < GETUTCDATE()
AND USER_FRIENDLY_NAME in ('USERID1', 'USERID2', 'USERID3');
4. Run the below query to update the IS_DELETED flag to true by providing list of deleted usersid's.
update [ACENTMDB].[dbo].[PRIVILEGED_ACC_EXCEPTION]
set IS_DELETED ='true'
WHERE ("IS_DELETED"<> 'true' OR "IS_DELETED" IS NULL)
AND convert(datetime, VALID_UNTIL, 105) < GETUTCDATE()
AND USER_FRIENDLY_NAME in ('USERID1', 'USERID2', 'USERID3');
5. Navigate to Manage Privileged Account Requests page, we wont see these accounts anymore this page.
Feedback
Yes
No
Powered by
