This (counter-intuitive) behavior can be seen in 3.2.2
CA PAM seems to enforce the following requirement on Target Account Selections within Access Policies: One or more credential sources must be selected / specified in a Device Group if the Access Policy (for that device group) is to have access to target accounts.
In other words, if there's no credential source on a device group, and you create an access policy on that device group and try to select one of the available accounts listed (all Target Accounts are listed by the way) you will get an error stating:
This idea is to request an enhancement to the way PAM handles Credential Source configuration and filtering as follows:
A. Selective Warning when removing a Credential Source: The PAM system allows an unsuspecting admin to remove a credential source from a device group even though there may be one or more policies configured to use (one or more) target account(s) that are tied to that credential source. Currently, in 3.2.2, in such cases, the PAM system simply ( _and quietly_) removes the target/s accounts from the access policy. Needless to say, this can break a lot of policies in just one action and can generate a tremendous amount of administrative overhead to remedy.
USE CASE STEPS:
1. A Device Group is configured with a credential source;
2. An Access policy is configured for that device group;
3 A target account is selected (access tab) for the selected access method, etc and the policy is saved.
4. The Credential Source, specified on the device group in step 1 is removed without any warning.
5 Reviewing the Access Policy one can see that the Target account is no longer selected.
Enhancement Idea: When removing a credential source from a device group, check first to see if that credential source is a dependency on any of the target accounts selected across all policies. If a dependency is detected, alert the admin that the action will result in removing that target account from one or more policies.. ideally, the list of policy names would be given in the same warning, or it can be a report "Policies by Target Accounts".
B. Filter out all target accounts: Currently, when no credential source is selected for a device group, the PAM System still returns ALL target accounts in the Access Policy's -> Access Tab-> Target Account -> Available Accounts list; This allows an admin to inadvertently select a target account and try to save the policy only to be met with the error illustrated in the above snapshot.
USE CASE STEPS:
1. Create a device group but do not specify a credential source;
2. Create an access policy for that device group;
3. In the access tab, select an access method
4. Click on the magnifying glass to see the list of Target Accounts
5. Note the list of available target accounts lists ALL of the target accounts
6. Select any Target account
7. Click OK, then OK again
8. Get the Error above
Enhancement Idea: When a device group does not have a credential source specified, do not return ANY target accounts in the Access Policy -> Access Method -> Target Account selection screen.