[PAM] LDAP User removed from LDAP Group but does not get removed from PAM Users list.

book

Article ID: 197001

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

In the PAM Users an LDAP Group named "PAM Admins" was imported with following users.

TestUser1

TestUser2

TestUser3

 

Later TestUser1 was removed from LDAP but this TestUser1 still exist in PAM and cannot be deleted.

 

Cause

It is possible the user is configured as a recipient for reports.

 

Environment

Release : 3.x.x

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Report recipients cannot be deleted and they must be removed from the report recipient or the report need to be deleted.

Goto "Sessions -> Logs -> Reports -> Manage Reports" and look for Custom reports (generated by the Admins) and see if the problematic user is set to be notified.

Following are the Out of the Box custom reports that you should not delete.

10.2.3 Track Audit Policy Change
10.2.6 Audit Logs Access
PCI 10.2.1 User Login
PCI 10.2.1 User Logout
PCI 10.2.4 Failed User Login
Telemetry Tracking Report
Unfiltered Logs

 

The custom report that is generated by the problematic user must be deleted.

One way to identify who created the custom report would be to check at the "Email" tab of the report to see (if email notification is enabled) if an email address is entered. That may give hint to who may have created it.

If you have multiple user created custom reports and do not know which one to delete then please contact support referencing this KB article.

 

Once the custom reports are deleted, in the next LDAP Sync cycle the user account should be removed successfully.