PAM API Key Has Access to More Users/Devices Than Configured
search cancel

PAM API Key Has Access to More Users/Devices Than Configured

book

Article ID: 262048

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

An API key has been configured to have access to select user or device groups, but when a user/device related GET API call is used, it can view all users or devices.

Environment

Privileged Access Manager, all releases as of March 2023

Cause

The user to which the API key is associated is a member of a group that has access to all users/devices. The API key inherits roles from a user group the same way that a user does.

Resolution

There is currently no functionality to limit which roles an API key inherits from a user group. As a workaround, the user can be removed from the user group and have all roles granted at the user level.