[PAM] User status in User export, Remote CLI and REST API
search cancel

[PAM] User status in User export, Remote CLI and REST API

book

Article ID: 230796

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

PAM User('user3' in this sample) is set to disabled.

User export (csv) shows the user "Active Flag" is set to "f".

Type,UserName,First Name,Last Name,Password,Password Set Time,Phone,Cell Phone,Email,Description,Active Flag,Activation Time,Last Activation Time,Account Disabled Time,Expiration Time,Authentication,Email On Login Contact,Email Self On Login Flag,Terminate Session on Deactivation Flag,Access Times,Provision Type,Group Membership,Applet Message,Roles,PA Group Membership,Smart Button Group,User Principal Name,Login IP Ranges,API Keys
"user","CN=User3,OU=PAM-Users,DC=kimlabs,DC=net","User3","","","0","","","[email protected]","","f","","1621474870","1639638148","0","ldap","","f","f","","ldap","CN=PAM-Users-Group,OU=PAM-Users,DC=kimlabs,DC=net","","","",,"[email protected]","",""

RemoteCLI shows the following.

  <User>
   <userID>[email protected]</userID>
   <authenticationType>CSPM</authenticationType>
   <gkUserId>11001</gkUserId>
   <userGroupIDs>[1000]</userGroupIDs>
   <serverKeyId>1001</serverKeyId>
   <failedLoginAttempts>0</failedLoginAttempts>
   <lastLogin></lastLogin>
   <viewType>general</viewType>
   <ldapDN></ldapDN>
   <firstName>User3</firstName>
   <lastName></lastName>
   <email>[email protected]</email>
   <status>ACTIVE</status>
   <password></password>
   <hash>2EXD4riir23DBDZCtr6CptkJ23A=</hash>
   <createTime>1616925358000</createTime>
   <createDate>Sun Mar 28 09:55:58 UTC 2021</createDate>
   <createUser>super</createUser>
   <updateTime>1639638149000</updateTime>
   <updateUser>super</updateUser>
   <updateDate>Thu Dec 16 07:02:29 UTC 2021</updateDate>
   <extensionType></extensionType>
   <ID>9001</ID>
  </User>

REST API returns the following.

Environment

Release : All PAM (tested on PAM 3.4.1 and 4.0.0)

Component :

Cause

This is an expected result.

If you are checking the user account status, please use the csv export or use the REST API.

 

User export and REST API are getting the user information from 'uag.user' table which would have the expected state.

RemoteCLI is a Credential Management Utility so it gets the information from 'cspm.admin' table hence the difference.

 

Resolution

Use csv user export or REST API to get user account status.

Attachments

Powered by Wolken Software