Many of our access policies are defined for individual users. When we onboard new PAM users with roles very similar to existing users, we do a policy export, extract the ones applicable to the reference user, change the user name and possibly other details and then import the CSV file to provision access policies for the new user. But this fails for multiple policies with error:
PAM-CMN-0668 = Device <device name> does not have service <service name> for SSO .
Release : 4.0
Component : PRIVILEGED ACCESS MANAGEMENT
This is a known problem in 4.0.1 that is fixed in 4.0.2, see the following item on documentation page Resolved Issues in 4.0.2:
32937499
DE522434
Improper Policy Export Formatting causes a PAM-CMN-0668 error when importing the CSV
Upgrading PAM to 4.0.2 or higher will resolve the problem.
If you cannot upgrade soon, but need to get this to work, you should be able to resolve the problem by removing the trailing space character from the service name, which is included in the PAM-CMN-0668 message, in the Services column (column D) of the policy CSV file. E.g. the following entry has this problem:
CA PAM |putty,,,ts=PAM-Node1 tap=PAM-SSH-Console tac=root
We have services "CA PAM" and "putty" in this policy. There is no account configured for transparent login for service "CA PAM" and the policy export erroneously added a space character after the name. Changing this to
CA PAM|putty,,,ts=PAM-Node1 tap=PAM-SSH-Console tac=root
should allow a successful import. Note that if the putty service had been listed first, and the "CA PAM" service last, there still could be problematic space character at the end that would need to be removed.