Layer7 Privileged Access Management

Expand all | Collapse all

Capam_command updateTargetApplication return authorization failed

Jump to Best Answer
  • 1.  Capam_command updateTargetApplication return authorization failed

    Posted 07-10-2018 01:27 PM

    Hello

     

    probably I'm doing something wrong.

    I'm trying to update Attribute.descriptor2 on several devices. And the way I pretend to do it is using capam_command.

    But I keep getting Authorization failed.

     

    D:\GEN500000000000989>capam_command.bat cmdName=updateTargetApplication capam=*** UserID=yyyy TargetApplication.ID=1533 TargetServer.ID=1092 TargetApplication.type=unixII Attribute.descriptor2=test
    Enter password:
    <CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>26</cr.statusCode>
    <cr.statusDescription>PAM-CM-0557: Authorization failed. User {0} does not have
    permission for this entity. Not authorized for command: updateTargetApplication<
    /cr.statusDescription><cr.result></cr.result></CommandResult>

     

    My user is belongs to dynamic Target Group with TargetAdmin role (this role have Update Target Application privilege). If I use UI with my user, I can change descriptor2 field without any error.

    With capam_command and my user,  I can do searchTargetApplication without any problem.

    Does anyone had this problem?

     

    Thanks in advance

    Best regards



  • 2.  Re: Capam_command updateTargetApplication return authorization failed

    Posted 07-13-2018 01:21 PM

    The error message you are seeing indicates that the user you've specified is not allowed to execute this task.  What user are you using?  What role is it assigned?  In addition, is the user configured with a Credential Management Group that would allow management of the application?  If not, the command won't work regardless of the user.  Please check this.

     

    In addition, you can put the command into a browser using the template below:

    https://<your pam>/cspm/servlet/adminCLI?adminUserID=<user>&adminPassword=<password>&cmdName=updateTargetApplication&TargetApplication.ID=<applicationID>&TargetServer.ID=<serverID>&TargetApplication.type=<application type>&Attribute.descriptor2=test

     

    This worked for me, using super.  Give it a try.



  • 3.  Re: Capam_command updateTargetApplication return authorization failed

    Posted 07-13-2018 01:51 PM

    I'm using TargetAdmin role and I'm in a Credential Management Group that allows changing that application. In fact, if I use the PAM client, I can change it without any error. It doesn't seems to be coherent.

    I tried with super user and it works fine.

    Thus that mean that, other users, for running "cmdName=updateTargetApplication" needs one role with more privilege ? probably super uses "SystemAdmin" role on the Credential Management.

    Thanks



  • 4.  Re: Capam_command updateTargetApplication return authorization failed

    Posted 07-13-2018 02:02 PM

    The standard PAM User Roles do not include one called TargetAdmin.  Was a customer role created?  If so, compare the privileges assigned to it to those assigned to the Global Admin role.  Something might have been excluded that is necessary for this task.  You may need to open a Support ticket so we can coordinate a Webex, if you cannot identify the differences yourself.



  • 5.  Re: Capam_command updateTargetApplication return authorization failed

    Posted 07-13-2018 02:05 PM

    Target Admin is a Credential Management role that comes with the product.



  • 6.  Re: Capam_command updateTargetApplication return authorization failed
    Best Answer

    Posted 07-13-2018 08:19 PM

    Yes, that is a Credential Manager Role.  That will have impact on what Credential Manager tasks a user can perform.  There are User Roles as well.  Take a look at the Role assigned to the user, on the Manage Users page.  If this role is not sufficient the user will not be able to execute the CLI commands.