search cancel

/cspm/ext/rest/passwordManagementGroups missing vault related target groups.

book

Article ID: 255093

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

The "/api.php/v1/passwords/userGroups.json" Rest API call returns Credential Manager user groups. With PAM 4.1 this includes internal groups created for secrets vaults. But the UI (Credentials > Manage Credential Groups > Credential Groups) does NOT show them. The "/cspm/ext/rest/passwordManagementGroups" Rest API call returns target groups. This call does NOT show the corresponding internal target groups for vaults, consistent with the UI. However, when we run the userGroups.json call with extendedValues=true, we get IDs for the internal target groups, and the "/cspm/ext/rest/passwordManagementGroups/{id}" call does return details of the internal target group. This is very confusing to us. We use these calls to help us understand which users/user groups have access to which set of managed accounts, and potentially delete groups that no longer are in use. Our preference would be to have the API calls consistent with the UI and not show any of the internal objects that we have no control over and no need to see.

Environment

Release : 4.1

Cause

The problem actually is not with the passwordManagementGroups API call, but with the userGroups call, which incorrectly includes internal PAM groups.

Resolution

This will be fixed in 4.1.2 and the next main release 4.2. With the fix API calls consistently will filter out internal CM groups used for Secrets Management. The fix also is included in the 4.1.1.03 published cumulative patch for the 4.1.1 release, see item 2 in the 4.1.1.03 Hotfix documentation. The cumulative patch is available on the PAM Solutions & Patches page.