Symantec Privileged Access Management

  • Private Community

  • 1.  Credential Manager Activities

    Posted Jan 14, 2019 07:04 AM

    Hi

     

    I have a user that have TargetAdmin role and would like for him to have access to credential manager activities - Passwords not verified.

    I tried 2 different ways without success:

    - adding activity item on the default activities list

    - asking the user to add that same activity ( Error PAM-UI-1005 - Authorization failed)

    Most probably I'm doing something wrong.

     

    Does anyone know how can I accomplish this ? Allowing this user see the metrics regarding his managed credentials.

    Thanks in advance

    Best regards



  • 2.  Re: Credential Manager Activities

    Broadcom Employee
    Posted Jan 16, 2019 10:27 AM

    Hello Nuno, I don't want to start a detailed discussion about individual privileges for Credential Management, but just give some hints on how to check on it. Privileges are defined in Credential Roles, which are assigned to Credential Groups, and users are assigned to Credential Groups. When a user tries something that requires a privilege he doesn't have, there should be a message in the tomcat log (Configuration > Diagnostics > Diagnostic Logs -> Download, get recent log entries or download) pointing to the missing privilege. I believe you should see this at log level Warning, but you can go to Info temporarily to get more information on the activity. Once you identified the missing privilege you would add it to the relevant credential role. If you used a built-in role, you may have to copy it to a custom role and then refine the custom role. If you can't get it to work, you can open a support case.



  • 3.  Re: Credential Manager Activities

    Posted Jan 16, 2019 11:16 AM

    Hello

    I can't see tomcat log . Catalina.out is too big, around 1GB.

    I only have tomcat warning level but our catalina.out if filled by this king of messages:

    ...

    Caching method com.cloakware.cspm.server.bo.impl.PasswordViewPolicyImpl:changePasswordOnConnectionEnd=public boolean com.cloakware.cspm.server.bo.impl.PasswordViewPolicyImpl.isChangePasswordOnConnectionEnd()
    Caching method com.cloakware.cspm.server.bo.impl.PasswordViewPolicyImpl:changePasswordOnSessionEnd=public boolean com.cloakware.cspm.server.bo.impl.PasswordViewPolicyImpl.isChangePasswordOnSessionEnd()
    Caching method com.cloakware.cspm.server.bo.impl.PasswordViewPolicyImpl:changePasswordOnSso=public boolean com.cloakware.cspm.server.bo.impl.PasswordViewPolicyImpl.isChangePasswordOnSso()
    Caching method com.cloakware.cspm.server.bo.impl.PasswordViewPolicyImpl:changePasswordOnView=public boolean com.cloakware.cspm.server.bo.impl.PasswordViewPolicyImpl.isChangePasswordOnView()
    Caching method com.cloakware.cspm.server.bo.impl.PasswordViewPolicyImpl:passwordViewRequestMaxDays=public int com.cloakware.cspm.server.bo.impl.PasswordViewPolicyImpl.getPasswordViewRequestMaxDays()
    ...

    Do you know how I can disable this type of logging?

    Thanks in advance

    Best regards

    NM



  • 4.  Re: Credential Manager Activities

    Posted Jan 18, 2019 12:19 PM

    It is unusual for the tomcat log(catalina.out) to be so large.  Has the Tomcat Log Level been changed?  If so, put it back to the default, Warning.  At some point PAM will switch to a new file, resulting in a smaller file for you to examine.  You should raise the log level to Info if you are troubleshooting Credential Management issues.  Lower the log level again when you are done.  You cannot otherwise change what goes into the file.