How to assign a PAM user to a Credential Manager Group using the CLI
search cancel

How to assign a PAM user to a Credential Manager Group using the CLI

book

Article ID: 190316

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

What are the steps to assign a PAM user using the Command Line Interface to a Credential Manager Group ?

Environment

Release : All supported versions of CA PAM as of October 2023

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

1. Find out details about the user:

... cmdName=searchUser

...
<cr.result>
 <User>
  <firstName><User_FirstName></firstName>
  <lastName><User_LastName>r</lastName>
  <email><User_Name>@<domain_name></email>
  <gkUserId>416</gkUserId>
  <userID><User_Name></userID>
  <userGroupIDs>[]</userGroupIDs>
  <ldapDN/>
  <lastLogin/>
  <viewType>admin</viewType>
  <serverKeyId>1000</serverKeyId>
  <failedLoginAttempts>0</failedLoginAttempts>
  <authenticationType>CSPM</authenticationType>
  <status>ACTIVE</status>
  <password/>
  <hash>UrMNvHuFD0CC1qe1+8qmblVqgwY=</hash>
  <createTime>1452177190000</createTime>
  <createDate>Thu Jan 07 14:33:10 UTC 2016</createDate>
  <updateDate>Thu May 07 14:23:16 UTC 2020</updateDate>
  <extensionType/>
  <createUser>super</createUser>
  <updateTime>1588861396000</updateTime>
  <updateUser>super</updateUser>
  <ID>1410</ID>
 </User>
</cr.result>
...


2. Find out details about the Credential Manager Group

... cmdName=searchUserGroup

...
 <cr.result>
  <UserGroup>
   <groups>[]</groups>
   <groupIDs>[]</groupIDs>
   <roleID>2</roleID>
   <description>Base role without Target or Request groups</description>
   <role/>
   <name>Base Users</name>
   <readOnly>true</readOnly>
   <hash>LvHQF7ZuRZbFcB+C7uOuQeWykZY=</hash>
   <createTime>1453390044000</createTime>
   <createDate>Thu Jan 21 15:27:24 UTC 2016</createDate>
   <updateDate>Thu Jan 21 15:27:24 UTC 2016</updateDate>
   <extensionType/>
   <createUser>system</createUser>
   <updateTime>1453390044000</updateTime>
   <updateUser>system</updateUser>
   <ID>1001</ID>
  </UserGroup>
 </cr.result>
...


3.  Assign the user to the group

... cmdName=updateUser User.userID=TestUser User.userGroupIDS=1003

Additional Information

There is no explicit way to delete a Credential Management user from a Credential Management User Group with the CLI.

Note, the group has to exist - one cannot specify a NULL value in this command.

Removing the user from all Credential Management User Groups can only be done in the PAM GUI.