Can't delete LDAP Group our of PAM

book

Article ID: 142008

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

Traditionally PAM LDAP Groups are sync'd by the following setting in the UI:

PAM UI >> Configuration >> 3rd Party >> LDAP >> LDAP Domains.

Here once you select Update -> you have a setting called Update Interval, which should keep all users and groups updated.

Cause

We cannot automatically delete an LDAP user if they have a:

  1. Password View Policy, which they are either listed as the "Dual Authorization/Retrospective Approval" or within the "Email Notification" section of it.
  2. Defined a custom report under PAM UI >> Sessions >> Logs >> Reports >> Managed Reports.

 

Environment

Release : 3.1.x, 3.2.x, 3.3.x

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

If either of these scenarios happen, we cannot delete that LDAP user and/or the LDAP Group they are apart of.

Please remove that user from the PVP and/or remove the custom report.

Note: if you cannot determine this information, please open up a support case and we can SSH into the backend of the server and take a look at the uag.custom_reports table for more detailed information.