search cancel

How to to administer PIM running in another trusted Windows Domain


Article ID: 8115


Updated On:


CA Privileged Access Manager - Server Control (PAMSC) CA Privileged Identity Management Endpoint (PIM)


In case of Trusted Windows Domain only, using XGID in the ACL of a TERMINAL resource is not allowing access of members of that group.

(This is not an issue for the local Windows Domain)


Using XGID reflecting a group of the trusted Windows Domain in the ACL of the TERMINAL ends in

"ERROR: You are not allowed to administer this site from terminal xyz"


Component: SEOSNT


Main root cause of the problem seen is that resolution of 'Logged on User' ACEE and 'Management User' ACEE is different in PIM.

While access of resources like FILE, which is using 'Logged on User' ACEE, the TERMINAL resource (selang) access is using 'Management User' ACEE.

Normally the XUID of the person accessing a resource can be enumerated automatically by PIM.
Hence it is possible to use XGID of which this XUID is member of in order to authorise access to such resource.

However due to design limitations in PIM identifiaction of 'Management User' ACEE cannot be performed for access of a XGID from a remote / trusted Windows Domain.
This limitation does not exist for the 'Management User' ACEE in the same Windows Domain.


Hence, to workaround this limitation it is necessary to PREDEFINE that user who connects to remote PIM database (as USER or XUSER) and authorise access to the relevant TERMINAL.

AC> authorize terminal myBox xuid(remoteDOM\administrator) access(all)

Now it is possible to access the seosdb on myBox from a remote selang
as user remoteDOM\administrator which is running on a PIM host in another Windows Domain.