Deleting users with unknown applications in CA PAM
Article ID: 189741
Updated On:
Products
CA Privileged Access Manager (PAM)
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager - Server Control (PAMSC)
Issue/Introduction
Running a report for the expired passwords will display two target accounts with the target server and target application names set to unknown.
For instance:
sys Unknown Unknown Unknown 0 false
system Unknown Unknown Unknown 0 false
This document describes the steps to resolve this situation
Environment
CA PAM 3.3.X
Cause
In CA PAM the cspm database contains the target accounts, servers and applications defined in the appliance.Whenever an object is deleted in the Credential Management part of the product, the corresponding records in the associated database tables are updated so that the delete field is set to 1, meaning the object is no longer valid.
In general when a target account is deleted and marked as such, the corresponding associations to target server and target applications should as well be marked as deleted by setting the corresponding field in their tables. Conversely, when an application is deleted from the Credential Management GUI all objects dependent solely on it should be marked as deleted.
The situation shown in the introduction may arise if an application was marked as deleted, but the corresponding target accounts failed to update their deleted fields accordingly
In general when a target account is deleted and marked as such, the corresponding associations to target server and target applications should as well be marked as deleted by setting the corresponding field in their tables. Conversely, when an application is deleted from the Credential Management GUI all objects dependent solely on it should be marked as deleted.
The situation shown in the introduction may arise if an application was marked as deleted, but the corresponding target accounts failed to update their deleted fields accordingly
Resolution
Firstly, it is necessary to install and enable the ssh debug patch to gain access to the appliance where the problem is occurring. If this is in a cluster environment, access the primary server of the primary node. It should be safe to perform the following actions without having to stop the cluster.
The following query will return the target accounts associated to deleted applications:
select accountid, accountusername, targetapplicationid from account where deleted=0 and targetapplicationid in (select targetapplicationid from targetapplication where deleted=1);
For instance
+-----------+-----------------+-----------------------------------+
| accountid | accountusername | targetapplicationid |
+-----------+-----------------+-----------------------------------+
| 9797 | sys | 3325 |
| 9798 | system | 3325 |
+-----------+-----------------+--------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
It suffices then to update the corresponding target accounts to make them deleted. For instance:
update account set deleted=1 where accountid=9797;
update account set deleted=1 where accountid=9798;
The following query will return the target accounts associated to deleted applications:
select accountid, accountusername, targetapplicationid from account where deleted=0 and targetapplicationid in (select targetapplicationid from targetapplication where deleted=1);
For instance
+-----------+-----------------+-----------------------------------+
| accountid | accountusername | targetapplicationid |
+-----------+-----------------+-----------------------------------+
| 9797 | sys | 3325 |
| 9798 | system | 3325 |
+-----------+-----------------+--------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
It suffices then to update the corresponding target accounts to make them deleted. For instance:
update account set deleted=1 where accountid=9797;
update account set deleted=1 where accountid=9798;
Feedback
Yes
No
Powered by
