search cancel

PAM-CMN-0020 on modifying policy, "Data too long for column 'detail' at row 1"

book

Article ID: 144247

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Cannot associate accounts with user policy.

The error occurred on modifying policy.
PAM-CMN-0020: Error occurred while trying to complete request. (76) 

[Native code: 1406]
[Native message: Data too long for column 'detail' at row 1]
 at /var/www/htdocs/uag/services/main/common/DatabaseUtils.php: 101
PAM-CMN-0020: Error occurred while trying to complete request. (26) 

The most common use case for a large policy is the inclusion of many target accounts that the PAM user(s) should have access to. An alternative to adding large numbers (hundreds or even thousands) of accounts to access policies is detailed below.

Environment

Release : 3.3.x, 3.4.x, 4.0.x, 4.1.x

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

The policy has about 1500 device-accounts for access and it exceeds maximum character length for detail of log.

Possible use cases:

Need to view 1000s of Passwords
1. Single device – Oracle Database
2. 1000s of Applications to represent each database instance
3. 13 local accounts in each application

32K account’s passwords need to be granted to each of the 20 users

Resolution

The detail column is text data type and maximum length is 65,535. You will need to create separate policies with lower number of accounts.

The alternative solution is to provide view only ability through the Credential Accounts page.

1. Allows them to filter on application name or account name
2. View Password from that list

Steps to recreate (as Global Admin)
1. Create a new Target Group
      1. Name: DBA_Oracle_Target_Group
      2. Type: Static
      3. Target Servers: Add Device that is the Oracle DB
              1. Show-> Target Accounts will list 32K accounts (see total at bottom)
      4. Save

2. Create a new Credential Manager Role
      1. Basic:
            1. Name: DBA_Oracle_CM_role
            2. Description
      2. Select the following privileges

3. Create a new Credential Manager Group
       1. Name: DBA_Oracle_CM_Group
       2. Description
       3. Role: Pick DBA_Oracle_CM_Role
       4. Target Group: Pick DBA_Oracle_Target_Group
       5. Note: Leave Users and User Groups blank for now.

4. Create a User Group
       1. Users -> User Groups [ADD]
       2. Name: DBA_Oracle_Team
       3. Roles
            1. Password Manager role (only) if Standard user is there, then remove
       4. Users
            1. Add the DBAs to the list
       5. Credential Manager Groups
            1. Select DBA_Oracle_CM_Group push to right
       6. Save

At this time the DBA users will likely have 2 roles in PAM:


a. Standard user role – from their individual profile
b. Password Management Role – from their membership in the User Group

Standard User gives them the Access page
Password Manager gives them Credentials Tab in the menu

When any of the 20 users log in, they will see a blue bar at the top with Access Credentials -> Manage Targets -> Accounts, Applications

Access is the default page, but if they do not need/use the Access page, then you can remove the “Standard User” role found in the User’s profile

When any of the 20 users log in, under Credentials -> Manage Targets -> Accounts they will see the first page of the 32K Accounts.
At the top, they can use filters, save views etc. to get to the correct Oracle instance (Application Search) or Account they wish to see. Click on the eyeball, and they will see the credential.

Additional Information

Benefits of this approach:

1. The DBA Users, due to the privileges in the role, will not be able to update a credential - only view

2. Add workflow as desired: check/check out, rotate on view, etc. by adding a Password View Policy to the Oracle Accounts
       1. Note: A View Policy with “rotate on view” applies to seeing the Credential from either the Access or the Accounts page

3. Use a standard browser - Viewing this page does not require the PAM Client

4. If using a standard browser, the Access page uses Applets; Applets do not work on standard browsers; a error message will eventually show to the user
       1. If the population of DBAs is never going to use SSH/RDP type access through PAM, then remove the “Standard User” role from each user’s profile
       2. When the “Standard User” role is absent, PAM avoids loading/landing on the Access page when logging in.
               1. Instead, the users will land on the Account page 

Attachments