Symantec Privileged Access Management

Hello

probably I'm doing something wrong.

I'm trying to update Attribute.descriptor2 on several devices. And the way I pretend to do it is using capam_command.

But I keep getting Authorization failed.

D:\GEN500000000000989>capam_command.bat cmdName=updateTargetApplication capam=*** UserID=yyyy TargetApplication.ID=1533 TargetServer.ID=1092 TargetApplication.type=unixII Attribute.descriptor2=test
Enter password:
<CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>26</cr.statusCode>
<cr.statusDescription>PAM-CM-0557: Authorization failed. User {0} does not have
permission for this entity. Not authorized for command: updateTargetApplication<
/cr.statusDescription><cr.result></cr.result></CommandResult>

My user is belongs to dynamic Target Group with TargetAdmin role (this role have Update Target Application privilege). If I use UI with my user, I can change descriptor2 field without any error.

With capam_command and my user,  I can do searchTargetApplication without any problem.

Does anyone had this problem?

Thanks in advance

Best regards

The error message you are seeing indicates that the user you've specified is not allowed to execute this task.  What user are you using?  What role is it assigned?  In addition, is the user configured with a Credential Management Group that would allow management of the application?  If not, the command won't work regardless of the user.  Please check this.

In addition, you can put the command into a browser using the template below:

https://<your pam>/cspm/servlet/adminCLI?adminUserID=<user>&adminPassword=<password>&cmdName=updateTargetApplication&TargetApplication.ID=<applicationID>&TargetServer.ID=<serverID>&TargetApplication.type=<application type>&Attribute.descriptor2=test

This worked for me, using super.  Give it a try.

I'm using TargetAdmin role and I'm in a Credential Management Group that allows changing that application. In fact, if I use the PAM client, I can change it without any error. It doesn't seems to be coherent.

I tried with super user and it works fine.

Thus that mean that, other users, for running "cmdName=updateTargetApplication" needs one role with more privilege ? probably super uses "SystemAdmin" role on the Credential Management.

Thanks

The standard PAM User Roles do not include one called TargetAdmin.  Was a customer role created?  If so, compare the privileges assigned to it to those assigned to the Global Admin role.  Something might have been excluded that is necessary for this task.  You may need to open a Support ticket so we can coordinate a Webex, if you cannot identify the differences yourself.

Target Admin is a Credential Management role that comes with the product.

Yes, that is a Credential Manager Role.  That will have impact on what Credential Manager tasks a user can perform.  There are User Roles as well.  Take a look at the Role assigned to the user, on the Manage Users page.  If this role is not sufficient the user will not be able to execute the CLI commands.