Rest API/CLI and account discovery options for UNIX applications and accounts
search cancel

Rest API/CLI and account discovery options for UNIX applications and accounts


Article ID: 233305


Updated On:


CA Privileged Access Manager (PAM)


You are using the API/CLI to create a UNIX target device/application/account.
You'd like to know how to check the boxes for in the Account Discovery tab (in the UI) but doing this via the API/CLI
You'd like to know if there are other features/switches that are documented so that he has a full understanding of what is (or is not) available via the API/CLI for not UNIX/Linux related objects, but for any/other objects that can be defined in PAM.


Applies to all PAM releases as of March 2024.


In general attributes for target applications and accounts are discussed in documentation pages for each type of target application, such as Implementing > Protect Privileged Account Credentials > Identify Target Applications and Connectors > Add a UNIX Target Connector.

Each connector typically has a child page for CLI configuration and for External API parameters. E.g. in the 4.1.6 documentation the corresponding pages for the UNIX target connector are UNIX Target Connector CLI Configuration and UNIX Target Application External API Configuration.

At this time we don't have specific documentation for the discovery-related attributes, but they are listed in the API examples at the bottom of the second page.

For target applications:

acctDiscUseGid (true | false)
acctDiscGidType  (RANGE | VALUE)
acctDiscGidValue (<integer>)
acctDiscGidRangeLow (<integer>)
acctDiscGidRangeHigh (<integer>)
acctDiscUseUid (true | false)
acctDiscUidType (RANGE | VALUE)
acctDiscUidValue (<integer>)
acctDiscUidRangeLow (<integer>)
acctDiscUidRangeHigh (<integer>)


For target accounts:

discoveryAllowed (true | false)
discoveryGlobal (true | false)


Here is an example body setting these parameters when creating a UNIX target application using the Rest API resource "POST /api.php/v1/devices.json/{id}/targetApplications":

  "applicationName": "example-API-UNIX",
  "applicationType": "unixII",
  "description1": "My TA descriptor one",
  "description2": "My TA descriptor two",
  "attributes": {
    "passwordEntryPrompt": "",
    "sshSessionTimeout": "",
    "echoCommand": "",
    "telnetSessionTimeout": "",
    "useUpdateScriptType": "DEFAULT",
    "substituteUserCommand": "",
    "sshUseDefaultKeyExchangeAlgorithms": "true",
    "sshKeyPairPolicyID": "",
    "passwordConfirmationPrompt": "",
    "changeFilePermissionsCommand": "",
    "sshPort": "",
    "changePasswordCommand": "",
    "useVerifyScriptType": "DEFAULT",
    "sshServerToClientCiphersList": "",
    "elevatePrivilegeCommand": "",
    "sshKnownHostKey": "",
    "sshKnownHostKeyFingerprint": "",
    "exitStatusOfLastCommand": "",
    "sshServerToClientCompressionAlgorithmsList": "",
    "extensionType": "unixII",
    "systemInfoCommand": "",
    "patternMatchingCommand": "",
    "sshDetectCiphersList": "",
    "sshClientToServerCiphersList": "",
    "sshClientToServerCompressionAlgorithmsList": "",
    "passwordChangePrompt": "",
    "sshUseDefaultCiphers": "true",
    "sshServerHostKeyAlgorithmsList": "",
    "userNameEntryPrompt": "",
    "sshUseDefaultHashes": "true",
    "unixVariant": "LINUX",
    "whoAmICommand": "",
    "telnetPort": "",
    "sshKeyExchangeAlgorithmsList": "",
    "policyManagementCommand": "",
    "sshUseDefaultCompressionAlgorithms": "true",
    "sshUseDefaultServerHostKeyAlgorithms": "true",
    "scriptTimeout": "",
    "sshClientToServerHashesList": "",
    "sshServerToClientHashesList": "",
    "sshStrictHostKeyCheckingEnabled": "false",
    "acctDiscUseGid": "true",
    "acctDiscGidType": "RANGE",
 "acctDiscGidValue": "",
    "acctDiscGidRangeLow": "2",
    "acctDiscGidRangeHigh": "10002",
 "acctDiscUseUid": "true",
 "acctDiscUidType": "RANGE",
 "acctDiscUidValue": "",
    "acctDiscUidRangeLow": "1002",
    "acctDiscUidRangeHigh": "10002"


Resource "PUT /api.php/v1/devices.json/{id}/targetApplications" can be used to update these attributes for an existing target application, here the one with ID 15001:

  "id": "15001",
  "attributes": {
    "acctDiscUseGid": "true",
    "acctDiscGidType": "RANGE",
    "acctDiscGidValue": "",
    "acctDiscGidRangeLow": "3",
    "acctDiscGidRangeHigh": "10003",
    "acctDiscUseUid": "true",
    "acctDiscUidType": "RANGE",
    "acctDiscUidValue": "",
    "acctDiscUidRangeLow": "1003",
    "acctDiscUidRangeHigh": "10003"


The same attribute names can be used while creating a target application using the remote CLI:

cmdName=addTargetApplication TargetApplication.type=unixII Attribute.extensionType=unixII Attribute.unixVariant=LINUX Attribute.useDefaultUpdateScript=true Attribute.useDefaultVerifyScript=true Attribute.acctDiscUseGid=true Attribute.acctDiscGidType=RANGE Attribute.acctDiscGidRangeLow=4 Attribute.acctDiscGidRangeHigh=10004 Attribute.acctDiscUseUid=true Attribute.acctDiscUidType=RANGE Attribute.acctDiscUidRangeLow=1004 Attribute.acctDiscUidRangeHigh=10004


Similarly attributes discoveryAllowed and discoveryGlobal can be set to "true" or "false" while creating target accounts using the Rest API or remote CLI.

Additional Information

In most cases the best approach is to use GET API calls to retrieve all attributes for existing applications or accounts that have the attributes of interest set already. The attribute names generally are specific enough to associate them with the corresponding setting in the UI. Note that Boolean attributes in most cases are returned as "t" or "f" in API responses (GET calls), but have to be set to "true" or "false" in POST and PUT calls.

In cases were you cannot find attributes that you want to set in the documentation or from API responses, and/or cannot get your API calls to work, please raise a case with PAM Support for the specific problem you are dealing with.