PAM-CMN-1599 When Attempting to Create a Device Via the API

book

Article ID: 206168

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

When using the API to create a device with the Password Management device type, the API returns PAM-CMN-1599. The device can be created without the Password Management device type set. Changing the user and API key's role to Global Administrator does not fix the issue.

Response Body:
{ "error": { "code": 400, "message": "Bad Request: PAM-CMN-1599: User Support via SupportAPI tried to add target server SupportDevice without authorization" } }

Cause

The error will occur when the user to which the API key is associated is a member of a Credential Manager group with improper privileges. In this case, the user was a member of the "Base Users" Credential Manager group, which has minimal permissions.

Environment

Privileged Access Management 3.3 and above

Resolution

To allow the user to manage target devices, add them to a Credential Manager group with the proper role. For more information about the Credential Manager role needed, please refer to the documentation.

Additional Information

Add Credential Manager Credential Groups: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4-2/implementing/protect-privileged-account-credentials/delegate-password-management-tasks-to-groups/add-credential-manager-credential-groups.html

Add or Modify Credential Manager Roles: 
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4-2/implementing/protect-privileged-account-credentials/delegate-password-management-tasks-to-groups/add-or-modify-credential-manager-roles.html