Scheduled Job not running and attempt to open it gives "PAM-CM-0039: Unable to perform the operation" error

book

Article ID: 196415

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Our team has a Mainframe account password rotation scheduled job that has not worked properly for almost 3 weeks. Our team thought this was something related to a support case we currently have, about Target Groups failing to open. But upon further investigation, I noticed the Target Group for Mainframe accounts disappeared and the PAM tool will not open the Scheduled Job. 

Cause

It turned out that a PAM admin inadvertently deleted the target group, which was a static group, while trying to add target accounts to it. This activity was found in the Credential Management Administrative Activities report. PAM is missing a check on scheduled jobs when processing a target group delete and proceeds with the deletion w/o any warning, potentially leaving a corrupted scheduled job behind.

Environment

Affects all PAM releases supported as of July 2020, with 3.4.1 being the latest.

Resolution

The target group can be restored temporarily by PAM support using SSH access to the PAM appliance to be able to edit the scheduled job again and review its details. Membership to the target group will not be restored this way, but it is better anyway to define a new target group with the desired properties, change the scheduled job to use the new target group, and then delete the old one again.

A defect is being raised with PAM Engineering to consider adding a check on scheduled jobs prior to deleting a target group. This is done for Credential Manager user groups already. You will not be able to delete a target group that is used in a CM user group.