Add the target devices in email template sent to the approver
search cancel

Add the target devices in email template sent to the approver

book

Article ID: 113607

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

Approver may expect receive in e-mail the hostname of device that user will access. But this works differently.
This sample shows one e-mail received by approver user to approve access for user account <PAMAccount> to access the server <myserver.mydomain.net.> Notice that this hostname of device is not showed in e-mail body:

(clarification : myserver.mydomainnet.domainglobal.net is not the target server, is the Domain Controller)

Subject: Password View Request for target account <PAMAccount>

Body:

Do not reply to this email.

A password view request has been submitted with the following details:

Requestor : <user>@domain.com Requested Account: <PAMAccount>
Requested Account Target Application Name: <targetapplication>
Requested Account Target Server: myserver.mydomainnet.domainglobal.net
Requested Account Target Device Name: myserver.mydomainnet.domainglobal.net
SSO Type: Any
Request Reason: Other (Teste)
Start Date: 2018-08-08 18:43 BRT
End Date: 2018-08-08 20:43 BRT

Click here to Approve this Request

Click here to Deny this Request

See that fields that refer device and hostname contais ony the domain controller - not the endpoint that use needs to access.



Environment

ALL PAM versions from 3.x to 4.x
Device RDP
Intergated with MS-AD

Cause

Guidance

Resolution

When you go to the target accounts page in Password Management, you will see columns Account Name, Application Name, Host Name and Device Name. These will be the ones that are shown in the request emails. 

For a domain account pulled into Password Management e.g. by a Windows Domain Services target connector, the target device would be the device associated with the WDS target connector application. 

In your email the account comes from the "accountname" device, which I assume is your domain controller. 

This is working as designed. A password view request is in the context of the target account. For a given account there is only one password to view. Once you have the password view request approved, you can use that account to logon to any device accessible with this account, because you have access to the accounts's password. 

Basically you have to consider that a password view request is what it says, it's not a request to access a specific target device, even though that is what your user may be trying to do at the time. 

The approvers have to be aware of that, and they should be able to understand the nature of the account from the target application and target host values. 
Powered by Wolken Software