PAM API Key Has Access to More Users/Devices Than Configured
search cancel

PAM API Key Has Access to More Users/Devices Than Configured

book

Article ID: 262048

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

An API key has been configured to have access to select user or device groups, but when a user/device related GET API call is used, it can view all users or devices.

Environment

Privileged Access Manager releases 4.1.5 and below

Cause

The user to which the API key is associated is a member of a group that has access to all users/devices. You could edit an API Key definition to reduce its privileges to use the External API by removing roles that were directly assigned to the user account. However, you could not remove roles inherited from user groups of which the user was a member.

Resolution

The 4.1.6 introduced an enhancement that allows you to reduce API Key privileges by removing roles inherited from user groups of which the user was a member, see the following item on page New Features in 4.1.6:

Restrict API Key Role Group Inheritance for External API Users