PAM-CMN-0155 When Trying to Assign a Credential Manager Group to a User
search cancel

PAM-CMN-0155 When Trying to Assign a Credential Manager Group to a User

book

Article ID: 237430

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When trying to modify a user to assign a Credential Manager group in PAM, the following error occurs.

PAM-CMN-0155: User <username> was not updated.

If the issue is reproduced with Tomcat Log Level set to INFO, the following is seen in the logs.

Mar 20, 2022 10:10:10 PM com.cloakware.cspm.server.app.impl.ApplicationContextImpl invokeCommand
INFO: ApplicationContext.invoke(CommandRequest, Transaction, listeners) exception:1010 msg:User Groups exceeded the maximum limit
com.cloakware.cspm.server.app.ApplicationException: User Groups exceeded the maximum limit
 at......

Environment

Privileged Access Manager versions prior to 4.1.3

Cause

By default, a PAM user can only be assigned to a maximum of ten Credential Manager groups. This value can be overwritten by the system properties, but the number could not be increased past 25 due to a limitation within the database in PAM release 4.1.2 and older.

Resolution

The limit has been removed since the 4.1.3 release, refer to the "Number Of Credential Manager Groups That Can Be Assigned To A User Is No Longer Limited" section of the New Features and Enhancements in 4.1.3 documentation page.

 

To increase the maximum number of Credential Manager groups in release prior to 4.1.3, use the setSystemProperty CLI command. An example is below.

> capam_command capam=PAMFQDN adminUserID=super adminPassword=<password> cmdName=setSystemProperty propertyName=maxUserGroupLimit propertyValues=21

To confirm the value, use the getSystemProperty CLI command.

> capam_command capam=PAMFQDN adminUserID=super adminPassword=<password> cmdName=getSystemProperty propertyName=maxUserGroupLimit

The output would look similar to the following, look for <propertyValue> to confirm the new limit.

<CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>400</cr.statusCode><cr.statusDescription>Success.</cr.statusDescription><cr.result><SystemProperty><propertyValue>21</propertyValue><booleanValue>false</booleanValue><propertyName>maxUserGroupLimit</propertyName><hash></hash><createTime>1647896778000</createTime><createDate>Mon Mar 21 21:06:18 UTC 2022</createDate><updateDate>Mon Mar 21 21:06:18 UTC 2022</updateDate><extensionType></extensionType><createUser>super</createUser><updateTime>1647896778000</updateTime><updateUser>super</updateUser><ID>#####</ID></SystemProperty></cr.result></CommandResult>

Additional Information

For more information about the command syntax, please refer to the Remote CLI Syntax documentation page.

Powered by Wolken Software