KB 249045 documents a programmatic way to get CM user group membership for a given PAM user. For auditing purposes we need to take this further and have a programatic way to get the list of target accounts a user has access to through the Credential Manager user group(s) that the user is a member of.
Release : 4.1
The procedure from KB 249045 yields a list of CM user group IDs. To get the list of target accounts accessible by each group, two additional calls are required:
1) To get the target group(s) assigned to CM user groups, use the the /api.php/v1/passwords/userGroups Rest API resource with parameter extendedValues=true:
Example:
https://<pamserver>/api.php/v1/passwords/userGroups.json?sortBy=%2Bname&pageNumber=1&pageSize=100&fields=*&extendedValues=true
The response will contain a list of CM user groups with details for each groups, such as the following for the CM user group with ID=9001:
... { "name": "CM-TESTVAULTGROUP", "id": "9001", "description": "", "roleid": "6001", "groupids": "[10001]" }, ...
The "groupids" list is the list of target groups that is assigned to this CM user group (ID 9001). In the example above it is one target group with ID=10001.
2) To get the list of accounts in each target group, use the /cspm/ext/rest/passwordManagementGroups/targetAccounts/{id} resource:
Example:
https://<pamserver>/cspm/ext/rest/passwordManagementGroups/targetAccounts/10001
Sample output:
{ "data": [ { "accountName": "testaccountvault1", "passwordVerified": false, "accountId": 80001, "accountType": "privileged", "deviceId": 110001, "applicationId": 26001, "applicationName": "APPLICATION-1", "applicationType": "Generic", "hostName": "VAULTDEVICE1", "deviceName": "VAULTDEVICE1" } ], "success": true, "total": 1, "message": null }