When there are two or more target applications defined for a device, where the first one created has a name that is a substring of another target application name, then an attempt to delete the first application with Rest API call "DELETE /api.php/v1/devices.json/{deviceId}/targetApplications/{applicationId}" will NOT delete the target application with the ID provided in the call, but the newest target application whose name contains the name of the target app to be deleted.

E.g. create a target application for the device with ID 35001 using the Rest API "POST /api.php/v1/devices.json/35001/targetApplications" with body:

{
    "applicationName":"APITestApp"
}

This returns the ID of the new target application, e.g. 10001.

Create a second target application with a name that includes the first name, like "APITestApp-2" or "newAPITestApp". This will return a new ID, say 11001.

Now try to delete the first one by ID using Rest API call "DELETE /api.php/v1/devices.json/35001/targetApplications/10001". PAM in fact will delete the second application created, with ID 11001, instead of the one with the ID (10001) used in the call. 

Releases : 4.0-4.1.1

There was a bug in the Rest API code processing the application deletion.

This problem was fixed as DE553100 in the 4.1.2 release.

Resolved Issues in 4.1.2: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-5/release-information/resolved-issues-in-earlier-4-x-releases/Resolved-Issues-in-4-1-2.html