We find these four user accounts on all our PAM servers. We do not find information about them in the PAM documentation, aside from CATapApiUser, which seems to be used for integration with Threat Analytics. But the documentation is concerned with a target account, not the user account itself. We can edit some of those users, but cannot save any changes, such as changing the email address. Is there a way to do that?

Affects any PAM release as of February 2023

These are internal PAM user accounts that should not be touched by PAM administrators.

PAM uses Rest API calls for some internal workflows. Rest API calls require authentication using credentials from target accounts with application type API Key. The scope and privileges of these accounts are defined in the associated user entries. The internal user accounts exist only as anchors for the associated API keys, are not used for logon and their email addresses are of no concern. The addresses should match the (initial) email address of the super account. The accounts, or more accurately their API keys, are used as follows:

DSApiUser - Used for PAMSC integration, see documentation page Implementing PAM SC and pages under it. There is no reference to this user, since it's used internally only.

LDAPApiUser - Used for internal API calls for integration with Active Directory domains, specifically when option "Groups Only" is select in the LDAP configuration, see documentation page How to Configure Active Directory for User Authentication. There is no reference to this user, since it's used internally only.

MCApiUser - Used for integration with a Management Console, see documentation page Management Console and pages under it. This account exists on all PAM servers, whether or not they are integrated with a Management Console. More details are found in KB 185805.

CATapApiUser - Used for integration with Threat Analytics, see documentation page Deploy Symantec Threat Analytics Server. This account exists when the PAM license has option Threat Analytics Capability enabled, whether or not the integration in fact is configured.