Lately we are increasing more and more CA PAM's use, thus trying to automate its configuration through APIs as much as possible.
We are experiencing problems with the creation / update of policies which include more than one RDP Service Application.
Here is an example of a JSON body we might need to post:
{
"graphicalRecording":"t",
"services": [
{
"serviceId":18002,
"accountIds":[1013],
"ssoWindows": [
{
"winId":"17002",
"winTitle":"Launch Oracle Client",
"credentials":["57003"]
}
]
},
{
"serviceId":188,
"accountIds":[1013],
"ssoWindows": [
{
"winId":"62",
"winTitle":"Launch Oracle Client",
"credentials":["1443"]
}
]
}
],
"transparentLogin":"t",
"violationRecording":"t"
}
This is the curl contained inside the powershell script:
Invoke-RestMethod -Uri "https://$pamserver/api.php/v1/policies.json/$userId/1286" -Credential $ApiKey -Method Put -Body $policy -ContentType "application/json"
And this is the error returned by the POST:
Invoke-RestMethod : {"error":{"code":400,"message":"Bad Request: PAM-CMN-0786: ssoWindow winId 17002 is not valid for RDP Application service id 188. Either the winId doesn't exist or it is not assigned to the service."}}
The problem seems to be that the distinction between the multiple services contained in the "services" array isn't quite clear.
Release : all releases up to 4.0.3 and 4.1.0
Component : PRIVILEGED ACCESS MANAGEMENT
Due to a bug PAM validated each transparent login configuration against ALL services being added, instead of validating it against the specific service it is configured with.
The problem is expected to be fixed in 4.0.4+ and 4.1.1+, and in future releases.
A workaround is to first publish the policy with no services or only one service, and then use the "POST /api.php/v1/policies.json/{id}/services" Rest API resource to add services to the new policy.
The policy ID ({id}) required in the above POST call is returned by the first POST call that creates the policy. To get IDs of existing policies, use the "GET /api.php/v1/policies.json" or "GET /api.php/v1/policies.json/{userOrGroupId}/{deviceOrGroupId}" resources.