All applications are visible in access page

book

Article ID: 7016

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

We have defined the following setup in PAM 

* A role called TestSysAdmin2 in Users-->Roles which only has accessAll and credentialsManage. The reason for this is to be able to access the Access page when logging in and, of course, so that the user has got the necessary rights to manage passwords 
* In Password management, a User Group called TestSysadm. This group contains the SysAdmin role 

We have created a user called testuser. To this user we have assigned the TestSysAdmin2 role, and we have assigned it also to the TestSysadm Password Management group 

This user, testuser, does NOT have any Policy assigned on ANY of the devices managed by the PAM appliance 

The problem occurs whenever logging in to the PAM appliance as user testuser 

The expected result would be that we should not see ANY device in the Access page, since the testuser user does not have any policy assigned to any of the devices in the appliance 

However, what happens is that user testuser sees in its access page ALL the devices defined in the PAM appliance which have applications defined, and for each endpoint and application he sees all the users defined to access it, but not the passwords 

Environment

Release: PAMDKT99500-2.7-Privileged Access Manager-NSX API PROXY
Component:

Resolution

This is working as designed. The user can see any password they desire on the credential management side (due to having the Sysadmin role) and so as a convenience we also show these passwords on the Access page.  This is part of the intelligent password matching feature.  testuser can see any password they want from the access side as well - just click on any of the users in the view passwords items that are shown.

In order to not see ANY device in the Access page, since the user does not have any policy assigned to any of the devices in the appliance, one of options to accomplish it is by creating a Target Group (Dynamic) then filter upon the attributes.