PAM-UI-1005 and PAM-UI-1003 errors on Access page for users with limited approver role
search cancel

PAM-UI-1005 and PAM-UI-1003 errors on Access page for users with limited approver role

book

Article ID: 236165

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We have a custom role that allows PAM users, who are also Standard Users, to approve password view requests. This is done by adding access role Password Manager in the PAM user details, and assigning a CM group with the custom CM role to the user. However, when these users logon to PAM and land on the access page, they first see a PAM-UI-1005 error, to be replaced a few seconds later by a PAM-UI-1003 error. If they clear the error, it comes back a few seconds later.

The following picture shows one CM role that will cause this problem for users:

 

Environment

Release : 3.4.2

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

The 3.4.2 access page makes Rest API calls into PAM every few minutes to check on updates for approvals that should be shown on the access page. One of these calls fails, if the user does not have the "List Target Accounts" privilege. However, assigning this privilege would allow the user to view all target account passwords, and also have them listed for view on the access page, which cannot be allowed for the approvers.

Resolution

This problem is fixed in PAM 3.4.3+, see the following item on page Resolved Issues in 3.4.3:

32295788, 32301457
DE481709
Users with limited approver roles get errors on access page after upgrade from 3.3.1 to 3.3.4
Powered by Wolken Software