Server Control Policies remain in assigned/queued in the Deployment Audit section under PAM
search cancel

Server Control Policies remain in assigned/queued in the Deployment Audit section under PAM

book

Article ID: 440358

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

PAM SC policies remain in queued when assigned in PAM under Server Control Policies to different endpoints

In the different Endpoints to whom the policies have been assigned, checking the policyfetcher.log contents indicates that seosd is unable to locate any policy in the DH running under the utility appliance

However, modification of the db setting to allow 

update uag.configuration_f set value=0 where name='hide_pamsc_accounts';

which enables the policy and policy deployment objects to be seen in the Target Accounts page, indicates that the credential management objects are created for the endpoints where the policy should be applied. Namely all the assignments, unassignments, etc are visible in the deployment object.

However checking from the endpoints about the policies and deployments in the DH by doint

host DH__@<UTA_IP_ADDRESS>

and then 

sr POLICY *

There are no policies listed that correspond to the ones queued for the node

Environment

CA PAM Version: 4.3.0

Utility appliance: 2.1.0.61

Likely all versions of utility appliance are affected

Cause

Whenever a policy is created, an object is added to the internal target account objects in the PAM database. On deploying, undeploying or performing any other operation with a policy to an endpoint, its corresponding deployment object is updated and the policy is posted to the DH for the corresponding endpoint to pull it via policyfetcher. The policyorchestrator process in the Utility Appliance is responsible for this step.

A condition may arise when a policy has been undeployed and while the deployment object representing an endpoint is being updated with the change in the policy assigned, the policy is deleted. That causes an inconsistency in policyorchestrator operation and as a result the policies show in queued indefinitely

Resolution

There is a fix created for Utility appliance 2.1.0.61, and this change will be included in future releases of the Utility Appliance. 

Please open a case with Broadcom Support  if you are experiencing the same issue for a different version of the Utility Appliance and you need a fix ported

Powered by Wolken Software