Dynamic Target Groups do not seem to work correctly
Article ID: 108643
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager (PAM)
Issue/Introduction
We want to segregate device accounts between 2 users of PAM.
User1 manages the device and SO accounts and User2 manages DB accounts on the same device.
Neither one can see the password of the other and both, User1 and User2 are "delegated administrators".
The field "Description 1" and Dynamic Target Groups are used as a means of doing so, as suggested by the documentation.
Thus, User1 has "password manager" role pointing to User1Dyn target group, which has been created with the following filters:
A device shared between both users has in Description 1 "User1Dyn User2Dyn".
The same applies to Target Application Description 1 field, depending on whether it is shared or not (e.g. a shared application between both accounts will contain "User1Dyn User2Dyn")
After upgrading to version 3.1.1, this logic doesn't work the same way: If User1 wants to create a new "shared" device and tries to create one Target Application, it does not show in its Target Application list, even though it is actually created. What is more: User1 can't create an account on that Target Application because it doesn't show.
This used to work in versions 2.8.X but it no longer does. Is there any way to make the logic behave like in version 2.8.X ?
User1 manages the device and SO accounts and User2 manages DB accounts on the same device.
Neither one can see the password of the other and both, User1 and User2 are "delegated administrators".
The field "Description 1" and Dynamic Target Groups are used as a means of doing so, as suggested by the documentation.
Thus, User1 has "password manager" role pointing to User1Dyn target group, which has been created with the following filters:
- Server - Description 1 contains "User1Dyn"
- Application - Description 1 contains "User1Dyn"
- Account - Description 1 contains "User1Dyn"
A device shared between both users has in Description 1 "User1Dyn User2Dyn".
The same applies to Target Application Description 1 field, depending on whether it is shared or not (e.g. a shared application between both accounts will contain "User1Dyn User2Dyn")
After upgrading to version 3.1.1, this logic doesn't work the same way: If User1 wants to create a new "shared" device and tries to create one Target Application, it does not show in its Target Application list, even though it is actually created. What is more: User1 can't create an account on that Target Application because it doesn't show.
This used to work in versions 2.8.X but it no longer does. Is there any way to make the logic behave like in version 2.8.X ?
Environment
CA PAM version 3.X
Cause
Since we created a Target Dynamic group User1Dyn composed of Devices, Applications and Users having in Description1 User1Dyn, and a Target Dynamic group User2Dyn composed of Devices, Applications and Users having in Description1 User2Dyn, you will not be able to add the new accounts because of the AND condition for target accounts introduced in the definition of Target Dynamic Groups.
The problem is that we are trying to view all applications, accounts and servers meeting a specific condition while the target account is not yet created, so it will never be able to see the records
The problem is that we are trying to view all applications, accounts and servers meeting a specific condition while the target account is not yet created, so it will never be able to see the records
Resolution
To fix this we need to remove the Account restriction from the Target Group and then we can add the target applications & accounts successfully, later we need to add it back after accounts have been added
Feedback
Yes
No
Powered by
