Secondary site nodes only support Read operations. These site are meant to be used by PAM users, not PAM administrators, and most administrative activities are not allowed.
If you try Create, Update or Delete operations on secondary site nodes using the Rest API, you will get a 403 error with message: "PAM-CMN-2740: Only read-only REST methods (GET) are allowed on secondary sites."
We do have a note related to this topic in online documentation, see the following comment on page https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/programming/external-api-for-integrating-applications/use-the-external-api-programmers:
"Use the External API in a Clustered Environment
In a clustered environment, use the primary VIP for bulk operations."
Similarly most CUD operations with the remote CLI will return status code 442 on secondary site nodes with description "PAM-CM-0608: Unsupported command specified. Command not supported at secondary site".
Some update commands are allowed, such as checkInAccountPassword or forceCheckInAccountPassword. For these commands you can find a comment in our online documentation "This command can be run on a secondary site", see e.g. https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/programming/credential-manager-remote-cli-and-java-api/credential-manager-cli-commands/forcecheckinaccountpassword
As of 3/31/19 we have a generic comment on page https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/deploying/set-up-a-cluster#SetUpaCluster-Multi-SiteClusterandSecondarySites:
- Secondary site members are intended to support end-user access rather than global administrative functions. Some local administrative functions are available on Secondary members, including: managing sessions, logs, and recordings; managing password approvals and disaster recovery; some diagnostics; network, and security
We are working with the documentation team to be more explicit about the impact this has on API calls.