PAM CLI- addTargetAccount fails with PAM-CM-3454: Change process not specified

Article Id: 127504
Status: Published
Updated On: 19-02-2019 12:37
Products:
CA Privileged Access Manager - Cloakware Password Authority (PA) , PAM SAFENET LUNA HSM , CA Privileged Access Manager (PAM) , CA Privileged Access Manager (PAM)
Issue/Introduction:

When running addTargetAccount to add a Windows Remote account an error is returned.

PAM-CM-3454: Change process not specified.

Example command:
capam_command capam=<<CA PAM Host Details>> adminUserId=super cmdName=addTargetAccount TargetServer.hostName=<<Device Address - as defined in PAM>> TargetApplication.name=<<Application name - as defined in PAM>> TargetAccount.userName=<<Target Account name>> TargetAccount.password=<<Target Account's password>> TargetAccount.privileged=true PasswordViewPolicy.name=<<Password View Policy - as defined in PAM>> 

Cause:

The Windows Remote Target Connector specifically requires that all accounts are either set as an Administrator, who can either use either 'change own password' or 'change own password', or as a User, who REQUIRES that an Administrator is selected to rotate its password.

Environment:

PAM CLI

Resolution:

To be able to add Windows Remote accounts with the CLI there are additional attribute(s) that need to be used.

This specific error is referring to needing this attribute:
Attribute.useOtherAccountToChangePassword

Values for this are:
true (uses different account)
false (uses 'this' account), not valid for "Users" with Windows Remote

In most cases this will be a normal user, which means this needs to be set to true. Whenever useOtherAccountToChangePassword is true it will also require the account ID of the Administrator account using this attribute:
Attribute.otherAccount=<Management Target Account ID> 

Note: Management Target Account ID can be found using the command: searchTargetAccount
Note 2: Attempting to use "useOtherAccountToChangePassword = true" without "otherAccount" will result in error "PAM-CM-0791: An invalid Target Account ID was assigned to the 'otherAccount' attribute."

Example fixed command:
capam_command capam=<<CA PAM Host Details>> adminUserId=super cmdName=addTargetAccount TargetServer.hostName=<<Device Address - as defined in PAM>> TargetApplication.name=<<Application name - as defined in PAM>> TargetAccount.userName=<<Target Account name>> TargetAccount.password=<<Target Account's password>> TargetAccount.privileged=true PasswordViewPolicy.name=<<Password View Policy - as defined in PAM>> Attribute.useOtherAccountToChangePassword=true Attribute.otherAccount=<<Management Target Account ID>>