Cannot add target accounts for password view using the PUT /api.php/v1/policies.json/{userOrGroupId}/{deviceOrGroupId} resource

book

Article ID: 193876

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We are trying to add password view to access policies using the Rest API. We used the GET /api.php/v1/policies.json/{id} resource to see an example of an existing policy with an account configured for password view. It comes back with information like the following:

...

"targetAccounts": [ { "applicationName": "ApiKey", "applicationId": "1006", "accountName": "rprestapiuser-11806001", "accountId": "487001" } ],

...

But when we try to use this syntax in the PUT /api.php/v1/policies.json/{userOrGroupId}/{deviceOrGroupId} call, we get error

Bad Request: Invalid id specified for `policy.targetAccounts[0]`. Expecting integer value

Cause

The result of the GET call is processed to provide recognizable information on the configured accounts, including the target application and account names. But the PUT resource does not interpret such a structure, it just expects a list of target account IDs.

Environment

Release : Any support PAM release

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Use the syntax documented on the Settings > Api Docs page under the PUT /api.php/v1/policies.json/{userOrGroupId}/{deviceOrGroupId} resource:

targetAccounts : Array - the list of target account ids offered by the specified device whose usernames and passwords the user can view.

Ex: "targetAccounts": [1001,1002,1003]

 

Here is a curl command example allowing the user with ID 11806001 access to the target accounts with IDs 487001 and 20235001 on the device with ID 5 for password view:

curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ \ 
   "targetAccounts": [487001,20235001] \ 
 } \ 
 ' 'https://pamserver.my.domain/api.php/v1/policies.json/11806001/5'

 

Note that this sets the list of target accounts rather than adding it, i.e. any previously configured target account that is not in the new list will no longer be accessible for password view.

 

To add target accounts to an existing policy, rather than publishing a new list of target accounts, use POST methods

POST /api.php/v1/policies.json/{id}/targetAccounts
or
POST /api.php/v1/policies.json/{userOrGroupId}/{deviceOrGroupId}/targetAccounts

For these resources the request body is just a list of target accounts, such as [487001] or [487001,20235001]. Note that the call will fail if one of the accounts is configured in the policy already, and no IDs will be added in that case.

Example:

curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '[487001]' 'https://prira01-pam05.lvn.broadcom.net/api.php/v1/policies.json/11806001/5/targetAccounts'