ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Standard Users are not listed in the Recipient list for Scheduled

book

Article ID: 133365

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

On PAM 2.8.x, "Standard Users" were visible in the "Available Recipients" list for the "Credential - Reports - Scheduled Jobs".

So the Administrator can select any users and they would receive the report.

After upgrading to PAM 3.x, only the admin users are visible in the list.

Cause

The behavior in the PAM 2.8.x was not  according to the design.


https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/2-8-4-1/administrating/reports/schedule-reports.html

In the above PAM 2.8.x Documentation, it is mentioned:

------8<------

Schedule Reports Credential Manager allows you to schedule jobs that run the selected report and emails the output to the selected recipients.

Recipients can be selected from all Credential Manager users with a valid email address.

 ------8<------

So, since the beginning(based on PAM 2.8.x) the users who can be listed as the "mail recipient" are those who are "Credential Manager"

This Credential Manager privilege is tied to the role of users.

If you navigate to "Users - Manage Roles" and view "Standard User" role, they only have 2 permissions.

"Access All"

"Manage All"

These 2 permissions are for accessing and managing device they are associated in the policy.

If you take a look at the "Password Manager" or "Global Administrator" or "Operational Administrator", they have "Manage Credential" privilege.

So by right only those users with "Manage Credential" privilege should be listed as the report recipient.

What this suggest is the behavior you have been seeing in the PAM 2.8.x was not according to the design.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-2-7/administrating/credential-manager-reports/schedule-credential-manager-reports.html

You can find the same content is maintained in the PAM 3.2.x as above.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/administrating/credential-manager-reports/schedule-credential-manager-reports.html

Environment

Release : 3.x.x

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

If you want specific users to be listed in the report recipient list, you will need to provide them the privileged first. 

For example, you can do the following. 

1. goto "Users - Manage Users" and select the desired user. 

2. Assign "Password Manager" role to the user 

3. At "Credential Manager" tab, add "Base Users" group. 

4. Click "OK" to save. 

Then go to the Scheduled report and see if the user is listed there.