Creating Access Policies with RDP transparent logon using Rest API
search cancel

Creating Access Policies with RDP transparent logon using Rest API

book

Article ID: 385372

calendar_today

Updated On: 01-07-2025

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

You are trying to use the Rest API to add access policies that include RDP transparent logon, with multiple accounts available for selection for logon to the RDP server, and for access to the RDP application. You are looking for a sample body for the "POST /api.php/v1/policies.json/{userOrGroupId}/{deviceOrGroupId}" call.

Resolution

The following sample body creates a policy that offers three choices for the account used to logon to the RDP server ("accountIds"), three choices for transparent logon to the RDP application ("credentials") and also adds direct password view on the access page for three accounts ("targetAccounts"). In this example the list of account IDs is the same, but they could be different. This policy also enables graphical session recording.

{
  "services": [
    {
      "serviceId": "15001",
      "name": "SQL Management Studio",
      "accountIds": ["2227001","44001","57001"],
      "ssoWindows": [
        {
          "winId": "1",
          "winTitle": "Connect To Server",
          "credentials": ["2227001","44001","57001"]
        }
      ]
    }
  ],
  "targetAccounts":  ["2227001","44001","57001"],
  "graphicalRecording": "t",
  "transparentLogin": "t"
}

Additional Information

Target account IDs can be obtained from Rest API call "GET /api.php/v1/devices.json/{deviceId}/targetApplications/{applicationId}/targetAccounts" using the account name as a filter, with the target application ID retrieved using "GET /api.php/v1/devices.json/{id}/targetApplications" (filter on application name) and the device ID from "GET /api.php/v1/devices.json" (filter on device name).

The service ID, winId and winTitle parameters can be obtained using Rest API call "GET /api.php/v1/services.json" with type "RDPApplication" and filtering by service name. Sample request URL:

https://<pam server>/api.php/v1/services.json?type=RDPApplication&sortBy=%2BserviceName&limit=0&searchRelationship=AND&fields=*&serviceName=SQL

Output from this command:

{
  "totalRows": "1",
  "services": [
    {
      "comments": "",
      "serviceName": "SQL Management Studio",
      "enabled": "t",
      "hideFromUser": "f",
      "serviceId": "15001",
      "launchPath": "\"C:\\Program Files (x86)\\Microsoft SQL Server Management Studio 19\\Common7\\IDE\\ssms.exe\"",
      "secssoEnabled": "t",
      "hashSum": "",
      "secssoWindows": [
        {
          "id": "1",
          "title": "Connect To Server",
          "rdpSession": "f",
          "ssoconfID": "2"
        }
      ]
    }
  ]
}

Note that the parameter names, such as serviceName vs name, id vs winId and title vs winTitle, are somewhat different, but easy to correlate. Using a "GET /api.php/v1/policies.json/{id}" call for an existing similar policy as the ones you are trying to create will show what parameter names the policies REST API resources use.