A REST API call for CA PAM doesn't retrieve the Target Account id
search cancel

A REST API call for CA PAM doesn't retrieve the Target Account id

book

Article ID: 214224

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

The CA PAM REST API may be used to retrieve the properties of a device, its associated target applications and target accounts

Let's take for instance a device of type "Other" called abc123, which has some target applications and target accounts connected to it.

To retrieve its target applications and target accounts we can first of all call the devices.json API, /api.php/v1/devices.json, passing as parameter the device name.

With this call the typical output will be:

{
  "totalRows": "1",
  "devices": [
    {
      "deviceId": "60001",
      "deviceName": "abc123",
      "domainName": "abc123",
      "description": "",
      "os": "Other",

 

From this json, the deviceId  may be used to gather information related to the target applications by using json REST API method  /api.php/v1/devices.json{id}/targetApplications

Let's assume this retrieves two applications

[
  {
    "id": "52001",
    "applicationName": "SSH-abc123",
    "applicationType": "vmware",
    "description1": "",
    "description2": "",
    "deviceId": 60001,
    "passwordCompositionPolicyId": "1002"
  },
  {
    "id": "51001",
    "applicationName": "SSH-abc123-xxx",
    "applicationType": "vmware",
    "description1": "",
    "description2": "",
    "deviceId": 60001,
    "passwordCompositionPolicyId": "1003"
  }
]

To obtain information about the target accounts, method /api.php/v1/devices.json{id}/targetApplications/{applicationId}/targetAccounts may be used. For instance by using id 52001

However, sometimes this returns no targetAccount whatsoever, even though there are indeed target accounts associated to the targetApplication being queried,e.g. doing

https://mypam.example.com/api.php/v1/devices.json/60001/targetApplications/52001/targetAccounts?sortBy=%2BaccountName&limit=10

returns

[]

and code 200

So no error but the result is empty.

Environment

CA PAM 3.3.X and 3.4.X

Cause

This is caused by a permissions issue. If the API Key we are trying to use does not have a Credential Management role (for instance let's imagine it just has the Standard Role and the Device Manager role) this type of behaviour will occur: no targetaccount will be retrieved and no error message will be thrown

Resolution

Assign to the API Key some Password Management role (either one of the predefined one or a custom one) and a Credential Manager group to manage. Remember that since the API Key is associated to a PAM user, in order to do this the corresponding user will have to have at least the same level of privileges and it will have to be associated to manage the same Credential Management groups as will be associated to the API Key being used to do the queries.