ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

PAM-CMN-0155 When Trying to Assign a Credential Manager Group to a User

book

Article ID: 237430

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When trying to modify a user to assign a Credential Manager group, the following error occurs.

PAM-CMN-0155: User pamadmin was not updated.

If the issue is reproduced with Tomcat Log Level set to INFO, the following is seen in the logs.

Mar 20, 2022 10:10:10 PM com.cloakware.cspm.server.app.impl.ApplicationContextImpl invokeCommand
INFO: ApplicationContext.invoke(CommandRequest, Transaction, listeners) exception:1010 msg:User Groups exceeded the maximum limit
com.cloakware.cspm.server.app.ApplicationException: User Groups exceeded the maximum limit
 at......

Cause

By default, a PAM user can only be assigned to a maximum of ten Credential Manager groups. This value can be overwritten by the system properties, but the number cannot be increased past 25 due to a limitation within the database.

Environment

Privileged Access Management all versions

Resolution

To increase the maximum number of Credential Manager groups, use the setSystemProperty CLI command. An example is below.

> capam_command capam=PAMFQDN adminUserID=super adminPassword=superspassword cmdName=setSystemProperty propertyName=maxUserGroupLimit propertyValues=21

To confirm the value, use the getSystemProperty CLI command.

> capam_command capam=PAMFQDN adminUserID=super adminPassword=superspassword cmdName=getSystemProperty propertyName=maxUserGroupLimit

The output would look similar to the following, look for <propertyValue> to confirm the new limit.

<CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>400</cr.statusCode><cr.statusDescription>Success.</cr.statusDescription><cr.result><SystemProperty><propertyValue>21</propertyValue><booleanValue>false</booleanValue><propertyName>maxUserGroupLimit</propertyName><hash></hash><createTime>1647896778000</createTime><createDate>Mon Mar 21 21:06:18 UTC 2022</createDate><updateDate>Mon Mar 21 21:06:18 UTC 2022</updateDate><extensionType></extensionType><createUser>super</createUser><updateTime>1647896778000</updateTime><updateUser>super</updateUser><ID>27001</ID></SystemProperty></cr.result></CommandResult>