The "/api.php/v1/passwords/userGroups.json" Rest API call returns Credential Manager user groups. With PAM 4.1 this includes internal groups created for secrets vaults. But the UI (Credentials > Manage Credential Groups > Credential Groups) does NOT show them. The "/cspm/ext/rest/passwordManagementGroups" Rest API call returns target groups. This call does NOT show the corresponding internal target groups for vaults, consistent with the UI. However, when we run the userGroups.json call with extendedValues=true, we get IDs for the internal target groups, and the "/cspm/ext/rest/passwordManagementGroups/{id}" call does return details of the internal target group. This is very confusing to us. We use these calls to help us understand which users/user groups have access to which set of managed accounts, and potentially delete groups that no longer are in use. Our preference would be to have the API calls consistent with the UI and not show any of the internal objects that we have no control over and no need to see.

Privileged Access Manager 4.1.1

The problem actually is not with the passwordManagementGroups API call, but with the userGroups call, which incorrectly includes internal PAM groups.

The issue is resolved as DE547290 in the 4.1.2 release. With the fix, API calls consistently will filter out internal CM groups used for Secrets Management.

The fix also is included in the 4.1.1.03 published cumulative patch for the 4.1.1 release, see DE547290 in the 4.1.1.03 Hotfix documentation. The cumulative patch is available on the PAM Solutions & Patches page.

Resolved Issues in 4.1.2: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-5/release-information/resolved-issues-in-earlier-4-x-releases/Resolved-Issues-in-4-1-2.html