search cancel

Ansible code failing with PAM-CM-0039 error on Rest API GET policies call

book

Article ID: 253971

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We use an Ansible script to onboard new devices into PAM. The device is added to a device group, for which access policies are defined already. We use the "GET /cspm/ext/rest/devices/{id}/policies" Rest API call to verify that the new device has policies associated with it. This used to work, but started breaking recently. Now this call returns with the following error, which causes us to abort the onboarding.

"PAM-CM-0039: Unable to perform the operation. Please contact System Administrator."

 

Environment

Affected Releases: 4.0.0-4.0.3,4.1.0,4.1.1

Cause

The problem started when a target account was deleted that was used in one of the policies for the device group, more specifically an account that was assigned to a service for auto-login in the access policy. The ID of the target account was left behind in a database table linking services to target accounts, and the error occurred when the policies Rest API call tried to get details for the account.

Resolution

As of November 9, 2022, a hotfix is available for 4.0.1. The internal defect ID is DE547384 and you should find this ID in the release notes of the first maintenance releases that include the fix. If you experience this problem and need a solution, please open a case with PAM Support.