searchTargetAuthorization Contains -1 for IDs
search cancel

searchTargetAuthorization Contains -1 for IDs

book

Article ID: 251221

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

The searchAuthorization CLI command is used within a script to get the A2A authorization mappings in an automated fashion, then searchTargetAlias is used to map the IDs to their names. However, some of the results contain a -1 for the Target Alias. What would cause this behavior to occur?

<Authorization>
    <checkExecutionID>false</checkExecutionID>
    <executionUser/>
    <requestServer/>
    <targetAlias/>
    <scriptID>-1</scriptID>
    <checkScriptHash>false</checkScriptHash>
    <targetAliasID>-1</targetAliasID>
    <targetGroupID>19001</targetGroupID>
    <checkFilePath>false</checkFilePath>
    <checkPath>false</checkPath>
    <requestServerID>-1</requestServerID>
    <requestGroupID>23001</requestGroupID>
    <script/>
    <createTime>1664567540000</createTime>
    <createDate>Fri Sep 30 19:52:20 UTC 2022</createDate>
    <updateDate>Fri Sep 30 19:52:20 UTC 2022</updateDate>
    <extensionType/>
    <createUser>super</createUser>
    <updateTime>1664567540000</updateTime>
    <updateUser>super</updateUser>
    <hash>x4gOZmVwSEOWpM1n6RKLdXXZzms=</hash>
    <ID>5001</ID>
</Authorization>

Environment

Privileged Access Manager, all versions

Resolution

When an authorization mapping is created in the PAM GUI, the following screen will pop up. A mapping can be configured to either a Target Alias or Target Group, but not both.

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=SafFFm//9/5MLZ8Mraybuw==

As such, PAM will insert a -1 for any item that is not configured. For example, if a mapping is configured to a Target Alias, the Target Group value will be -1. If the mapping is to a Target Group, then the Target Client will be -1. The same will be true for Request Client vs Request Group. Going back to the example, targetAliasID was -1, but targetGroupID  was 19001. This means the mapping was done based on a target group rather than a target alias.

To search for a target group, the searchGroup CLI command would be used with the Group.type filter set to target. An example is below.

> capam_command capam=10.10.10.10 adminUserID=super cmdName=searchGroup Group.type=target

 

Additional Information

For more information about the searchGroup command: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-1/programming/credential-manager-remote-cli-and-java-api/credential-manager-cli-commands/searchgroup.html

Powered by Wolken Software