We use an Ansible script to onboard new devices into PAM. The device is added to a device group, for which access policies are defined already. We use the "GET /cspm/ext/rest/devices/{id}/policies" Rest API call to verify that the new device has policies associated with it. This used to work, but started breaking recently. Now this call returns with the following error, which causes us to abort the onboarding.

"PAM-CM-0039: Unable to perform the operation. Please contact System Administrator."

Affected Releases: 4.0.0-4.0.3,4.1.0,4.1.1

The problem started when a target account was deleted that was used in one of the policies for the device group, more specifically an account that was assigned to a service for auto-login in the access policy. The ID of the target account was left behind in a database table linking services to target accounts, and the error occurred when the policies Rest API call tried to get details for the account.

The issue is resolved as DE547384 in the 4.1.2 release, please upgrade to the newest release to resolve the issue.

Resolved Issues in 4.1.2: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-5/release-information/resolved-issues-in-earlier-4-x-releases/Resolved-Issues-in-4-1-2.html