Does PAM support nested Global and Universal AD groups

book

Article ID: 105635

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM) CA Privileged Access Manager (PAM)

Issue/Introduction



In PAM is it possible to use nested Active Directory groups consisting of Global and Universal groups?

Environment

Release:
Component: CAPAMX

Resolution

Note:
Universal groups cannot be members of Global groups.
But vice versa it is possible.

To confirm PAM is working correctly create
- an Universal group "group3" with member "user3"
- two Global groups "group2" with member "user2" and "group1" with member "user1"
- cascade group3 with member group2, and group2 with member group1
- in CA PAM LDAP Import select group3 only
- finally I find all three users being discovered and imported to PAM

Additional Information

https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/provision-your-server/provisioning-users/configure-user-groups/import-ldap-user-groups#ImportLDAPUserGroups-NestedGroups