Rest API error PAM-CMN-0786 creating policies with multiple RDP Application services
search cancel

Rest API error PAM-CMN-0786 creating policies with multiple RDP Application services

book

Article ID: 245472

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Lately we are increasing more and more CA PAM's use, thus trying to automate its configuration through APIs as much as possible.

We are experiencing problems with the creation / update of policies which include more than one RDP Service Application.

Here is an example of a JSON body we might need to post:

{
"graphicalRecording":"t",
"services": [
 {
 "serviceId":18002,
 "accountIds":[1013],
 "ssoWindows": [
  {
  "winId":"17002",
  "winTitle":"Launch Oracle Client",
  "credentials":["57003"]
  }
   ]
 },
 {
 "serviceId":188,
 "accountIds":[1013],
 "ssoWindows": [
  {
  "winId":"62",
  "winTitle":"Launch Oracle Client",
  "credentials":["1443"]
  }
   ]
 }
  ],
"transparentLogin":"t",
"violationRecording":"t"
}

This is the curl contained inside the powershell script:

Invoke-RestMethod -Uri "https://$pamserver/api.php/v1/policies.json/$userId/1286" -Credential $ApiKey -Method Put -Body $policy -ContentType "application/json"

And this is the error returned by the POST:

Invoke-RestMethod : {"error":{"code":400,"message":"Bad Request: PAM-CMN-0786: ssoWindow winId 17002 is not valid for RDP Application service id 188. Either the winId doesn't exist or it is not assigned to the service."}}

The problem seems to be that the distinction between the multiple services contained in the "services" array isn't quite clear.

 

Environment

Release : all releases up to 4.0.3 and 4.1.0

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

Due to a bug PAM validated each transparent login configuration against ALL services being added, instead of validating it against the specific service it is configured with.

Resolution

The problem is expected to be fixed in 4.0.4+ and 4.1.1+, and in future releases.

A workaround is to first publish the policy with no services or only one service, and then use the "POST /api.php/v1/policies.json/{id}/services" Rest API resource to add services to the new policy.

The policy ID ({id}) required in the above POST call is returned by the first POST call that creates the policy. To get IDs of existing policies, use the "GET /api.php/v1/policies.json" or "GET /api.php/v1/policies.json/{userOrGroupId}/{deviceOrGroupId}" resources.