CA PAM has a series of Preexisting reports available, but sometimes there are needs for reports not covered by the existing ones

This article covers how to be able to generate a report with all the target accounts associated to each CA PAM user on each device and what target accounts it can view

CA PAM all versions up to the present one

Here we need to link two types of objects: users in PAM and target accounts which are in turn associated to target applications, and each target application will correspond to a given target server or device

Such a correspondence is establishes through a policy. PAM has got a complete API but this type of query may become rather cumbersome as there is no direct way to obtain those data

However, the policy objects do precisely that: they associate users to devices and on each device they may associate target accounts to itself, or a target account may be associated for viewing its password to a given user and application

So one can simply export the policy objects to csv and retrieve the information from the file so obtained. In the export there will be entries like the following

tap = <target_app>

tac = <target_accont>

So whatever comes after tap is a target account, and whatever appears after tap is a target application

The entries under Applet correspond to target accounts or target applications assigned to the corresponding RDP, SSH or VNC applet, whereas the entries under Targets represent the target accounts defined for viewing their password for the policy. The entries under Services correspond to target accounts and applications associated to a service defined for a machine