Failed to create a correct policy using API Doc, the account for the Transparent login transaction is not displayed
search cancel

Failed to create a correct policy using API Doc, the account for the Transparent login transaction is not displayed

book

Article ID: 377858

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When creating a policy using PAM APIDOC (POST /api.php/v1/policies.json/{userOrGroupId}/{deviceOrGroupId}), it is observed that the Transparent Login ID account is not shown as assigned, even though a success return code 200 is returned by the API below:

Request Body of the API 

{
    "accessMethods":[{"accessMethodId":1944001,"accountIds":[2828002]}],
    "accountId":null,
    "bidirectionCLIRecording":null,
    "cliRecording":null,
    "commandFilterList":null,
    "enableServerControlLogin":null,
    "graphicalRecording":"t",
    "hasExtendedTimeout":null,
    "services":[{"serviceId":36001, "accountIds":[2828002]}],
    "ssoWindows": [{"winId":"11001","winTitle":"Sign in to your account - Profile 1 - Microsoft​ Edgee","credentialId":[2828002]}],
    "socketFilterList":"3001",
    "socketFilterRestrictLogin":null,
    "targetAccounts":null,
    "transparentLogin":"t",
    "violationRecording":"t",
    "vpnServices":null,
    "webPortalRecording":null
}

Response Body for the API Request above (Response returns a success return code of 200, but validating the  the policy created via Privileged Access Manager (PAM) UI  the  account that was used for transparent login is not displayed correctly ("0" shown for Transparent Login Account and "Credential" is not populated..

 

 

 

Cause

Syntax Issue in related APIDOC dcumentation

The explanation of the API doc (POST /api.php/v1/policies.json/{userOrGroupId}/{deviceOrGroupId}), for the services attribute, in ssWindows, the ending of the brackets is incorrect and leads to the issue.

Resolution

The error resolves if in the Request Body  services encompasses parameters related to services followed by ssoWindows), in this way the privileged account can be included in the policy, as shown in the following Request body:

{
"accessMethods":[{"accessMethodId":3343001,"accountIds":[473001]}],
"accountId":null,
"bidirectionCLIRecording":null,
"cliRecording":null,
"commandFilterList":null,
"enableServerControlLogin":null,
"graphicalRecording":"t",
"hasExtendedTimeout":null,
"services": [
{
"serviceId": "36001",
"accountIds": [473001],
"ssoWindows": [
{
"winId": "11001", "winTitle": "Sign in to your account - Profile 1 - Microsoft​ Edgee", "credentials": [473001] }

]

} ],

"socketFilterList":"3001",

"socketFilterRestrictLogin":null,

"targetAccounts":null,

"transparentLogin":"t",

"violationRecording":"t",

"vpnServices":null,

"webPortalRecording":null } }

    "socketFilterList":"3001",
    "socketFilterRestrictLogin":null,
    "targetAccounts":null,
    "transparentLogin":"t",
    "violationRecording":"t",
    "vpnServices":null,
    "webPortalRecording":null

 

 

Powered by Wolken Software