Device Group policy does not include devices automatically
search cancel

Device Group policy does not include devices automatically

book

Article ID: 137530

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When creating an access policy for a group of devices imported from LDAP, the number of devices in the group is not equal to the number of devices found on the access page.

Some servers that are members of the LDAP device group are missing on the access page.

Environment

Applies to any PAM release as of Dec 2023.

Cause

Access methods assigned to device groups are not inherited by devices in the group. The only purpose of the access method and services assignment on the group level is to make them available in access policies for the group. E.g. you could have Linux servers and Windows servers in the same device group. The Linux servers are accessed using the SSH access method, and the Windows servers are accessed using the RDP access method. To configure an access policy against the device group, you will have to assign both the SSH and RDP access methods on the group level. The access page will show the SSH access method for the devices in the group that have SSH access assigned, and the RDP access method for devices that have RDP access assigned. If a device has none of the access methods assigned that are defined in the policy, it will not show up on the access page.

Resolution

Assign the appropriate access methods on the device level as they are not inherited from the device group.