We are unable to delete a device that we no longer use in PAM. When we try to delete it, we get error message "PAM-UI-1502: Device xxx not deleted as it is currently in use by other accounts". When we try to delete the target account configured for this device, we get error "PAM-UI-1003: Delete account failed. Target account in use by other accounts.". We are not aware of this account being used to manage any other account. How can we find out which other account uses it so we can fix the problem and get the device deleted?

Privileged Access Manager, all versions

PAM correctly blocked deletion of the account, because it was (incorrectly) configured to update the password of another account belonging to a different device.

There is no direct way to see which accounts may be linked to an account you are trying to delete. For PAM implementation with a very large number of target accounts it can be challenging to identify the misconfigured accounts.

If you are using, or can use, the remote CLI, you can use the searchTargetAccount command to first get the ID of the account you are trying to delete. Let say we have this problem when trying to delete account "root" associated with target application "RHEL7-UNIX-App":

./capam_command -n pamhost.example.com -u super -p superpassword cmdName=searchTargetAccount TargetAccount.userName='root' TargetApplication.name='RHEL7-UNIX-App'

<CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>400</cr.statusCode><cr.statusDescription>Success.</cr.statusDescription><cr.result><TargetAccount>

...

<ID>38001</ID></TargetAccount></cr.result></CommandResult>

From this output we know that this "root" account has ID 38001.

Now we want to look for any accounts that may have this account configured as "otherAccount". For this we run the searchTargetAccount command again, but without any filter, and direct the output to a file:

./capam_command -n pamhost.example.com -u super -p superpassword cmdName=searchTargetAccount > searchTargetAccount.out

Edit file searchTargetAccount.out with a text editor and look for string "<Attribute.otherAccount>38001</Attribute.otherAccount>". In our example we find one occurrence of this string, and within this "TargetAccount" entry, we find the ID of the account:

...

<TargetAccount>...<Attribute.otherAccount>38001</Attribute.otherAccount>...<ID>44001</ID></TargetAccount>...

Now we know that the account with ID 44001 is, incorrectly, configured to be updated by our account with ID 38001. We can use the listTargetAccounts command to see account name (<un>), target application name (<na>), device name (<dn>) and address (<hn>) for the account with ID 44001:

./capam_command -n pamhost.example.com -u super -p superpassword cmdName=listTargetAccounts TargetAccount.ID=44001
<CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>400</cr.statusCode><cr.statusDescription>Success.</cr.statusDescription><cr.result><c.cw.m.tacs><ts.id>10001</ts.id><ta.id>20001</ta.id><bm.id>44001</bm.id><hn>RHEL7-Device</hn><dn>RHEL7-Device</dn><di>29001</di><na>RHEL7-UNIX-App</na><ty>unixII</ty><un>remotecliaccount</un><um>true</um><as>false</as><cat>false</cat><pv>false</pv><cou>0</cou><cid></cid><autoConnectEnabled>true</autoConnectEnabled><tapcd>null</tapcd><tapma>0</tapma><taped>null</taped><tapcac>false</tapcac><tapcpn>null</tapcpn><uoid>-1</uoid><uoname>null</uoname><ag>false</ag><pvp>1000</pvp><pr>SSH2_PASSWORD_AUTH</pr></c.cw.m.tacs></cr.result></CommandResult>

This will allow us find the target account from the PAM UI. We can now fix the "otherAccount" assignment for this account and delete the account we wanted to delete, in our example the "root" account associated with target application "RHEL7-UNIX-App". Then we can proceed with device deletion, if desired.

If you can't find the conflicting account from the PAM UI, and have problems using the remote CLI, open a case with PAM Support to have them assist you in resolving the problem.