CAPAM does not remove previous Admin Accounts, error PAM-CMN-1583 - users not deleted for lack of privilege is presented
search cancel

CAPAM does not remove previous Admin Accounts, error PAM-CMN-1583 - users not deleted for lack of privilege is presented

book

Article ID: 216125

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

CAPAM is connected in AD, all users are being registered to CAPAM by Security Groups added to their account after groups were imported from AD.

Some of the Admin Accounts whose membership has already been removed are still retained in the CAPAM, that is they are not deleted as these accounts have a higher privilege.

Environment

Release : All Supported PAM releases.

Component : PRIVILEGED ACCESS MANAGER CREDENTIAL MANAGENENT

Cause

These Admin Accounts have a higher privilege as they are a part of "Breakglass Approvers" list (these Admins can retrieve passwords for target accounts in case of emergency)

Resolution

In the Session Logs we have  "PAM-CMN-1583: 0 users deleted, 1 users not deleted for lack of privilege, 0 users not found, 0 LDAP users not deleted, 0 login contact users not deleted, 0 unknown user delete errors",0, --,,0"

The related admin accounts are part of "Breakglass Approvers", removing these accounts from the list of Breakglass Approvers helps in the deletion of these accounts from CA PAM.

Additional Information

None.