Transparent login configuration lost on policy update
search cancel

Transparent login configuration lost on policy update


Article ID: 268748


Updated On:


CA Privileged Access Manager (PAM)


We've had this problem ever since the upgrade to PAM 3.0. When we update a policy that has transparent login configured, this configuration is lost. E.g. a policy between a user and a Linux host shows transparent login configured with a specific account, and when we go to Policies > Manage Policies we see a green checkmark in the Transparent Login column. We edit the policy, go to the Password tab and add a target account for password view. After saving the policy the transparent login configuration is gone. No checkmark in the Transparent Login column, and when we edit the policy again there is no account configured under the Transparent Login tab.


Release : Any release below 4.1.5


This affected environments with more than 10k target accounts. To save the policy, the PAM UI needed to retrieve details of the account configured for transparent login. It did that with a call that listed only the first 10k accounts. If the account was not in that list, the TL configuration got lost when saving the policy. Once the number of target accounts exceeds 10k, the problem affects all policies using new target accounts, which typically are the ones that need updates.


As a workaroud the TL configuration can be restored using Rest API calls to update the policy. This requires multiple calls to get the ID of the target account and then use it in the policy update.

The problem will be fixed in 4.1.5 and newer releases. If you have this problem and cannot wait for an upgrade to 4.1.5+, please open a case with PAM Support.