Layer 7 Privileged Access Management

Expand all | Collapse all

HOW TO: Use the CLI to update PVP Checkout Interval and more

Jump to Best Answer
  • 1.  HOW TO: Use the CLI to update PVP Checkout Interval and more

    Posted 05-15-2019 03:50 PM

    i'm using the 3.2.4 CLI to update several PVPs in bulk

     

    i'm running the following command

     

    capam_command cmdName=updatePasswordViewPolicy PasswordViewPolicy.ID=<pvpid> PasswordViewPolicy.dualAuthorization=true PasswordViewPolicy.dualAuthorizationInterval=720 PasswordViewPolicy.passwordViewRequestMaxInterval=720 PasswordViewPolicy.checkinCheckoutRequired=true PasswordViewPolicy.checkinCheckoutInterval=720 PasswordViewPolicy.passwordViewRequestMaxDays=14 PasswordViewPolicy.passwordChangeInterval=720

     

    however when i run this i always get back this error:

    <CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>4640</cr.statusCode><cr.statusDescription>PAM-CM-1080: The default password view request interval must be equal or less than the maximum password view request interval. Password View Policy default interval cannot be larger than maximum interval</cr.statusDescription><cr.result></cr.result></CommandResult>

     

    i've tried increasing / decreasing each of the interval values by a little but nothing seems to work.

     

     

    i've looked at the documentation and there is no default password view request interval property or default interval property ...

     

    i've also tried to run this command:

    capam_command cmdName=updatePasswordViewPolicy PasswordViewPolicy.ID=<pvpid> PasswordViewPolicy.dualAuthorizationInterval=720 PasswordViewPolicy.passwordViewRequestMaxInterval=720 PasswordViewPolicy.checkinCheckoutInterval=720 PasswordViewPolicy.passwordViewRequestMaxDays=14  PasswordViewPolicy.passwordChangeInterval=720

     

    and though it don't get an error, it seems to complete successfully, the update doesn't actually occur. interval values are not changed on the PAM side.

     

    what is the problem here?

    What am i missing?

     

    thanks in advance



  • 2.  Re: HOW TO: Use the CLI to update PVP Checkout Interval and more

    Posted 05-15-2019 03:56 PM

    Here's the full command

     

    capam_command adminUserID=cliuser capam=pamserver.domain.com adminPassword=********** cmdName=updatePasswordViewPolicy PasswordViewPolicy.ID=1123 PasswordViewPolicy.checkinCheckoutRequired=true PasswordViewPolicy.checkinCheckoutInterval=720 PasswordViewPolicy.dualAuthorization=true PasswordViewPolicy.dualAuthorizationInterval=720 PasswordViewPolicy.passwordViewRequestMaxInterval=720

     

    <CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>4640</cr.statusCode><cr.statusDescription>PAM-CM-1080: The default password view request interval must be equal or less than the maximum password view request interval. Password View Policy default interval cannot be larger than maximum interval</cr.statusDescrip
    tion><cr.result></cr.result></CommandResult>


    if i perform these steps in the GUI, it works



  • 3.  Re: HOW TO: Use the CLI to update PVP Checkout Interval and more
    Best Answer

    Posted 05-15-2019 04:58 PM

    Hi Seb, You are missing that the parameter names are case sensitive. Per our documentation page https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/programming/credential-manager-remote-cli-and-java-api/credential-manager-cli-commands/addpasswordviewpolicy/ the parameters are

     

    PasswordViewPolicy.PasswordViewRequestMaxInterval
    PasswordViewPolicy.PasswordViewRequestMaxDays

     

    Note the capital Ps after the dots.



  • 4.  Re: HOW TO: Use the CLI to update PVP Checkout Interval and more

    Posted 05-16-2019 09:27 AM

    Thanks Ralf - again!

     

    indeed, case got me again.

     

    FTR, the GUI doesn't allow changing of the Check-in/Check-out interval without also changing Dual Auth Default and Max Request Intervals.

     

    But the CLI does: running this command actually worked - I would've expected it to be a consistent behavior.

    capam_command adminUserID=cliuser capam=pamserver.domain.com adminPassword=********** cmdName=updatePasswordViewPolicy PasswordViewPolicy.ID=1123 PasswordViewPolicy.checkinCheckoutRequired=true PasswordViewPolicy.checkinCheckoutInterval=720

     

    Another observation - if i only want to set the intervals (as i do in the GUI), the command returns a status 400/success... but the dual auth intervals are ignored.

    capam_command adminUserID=cliuser capam=pim-1pam004.mandtbank.com adminPassword=4lU8F6x3r81H3R cmdName=updatePasswordViewPolicy PasswordViewPolicy.ID=1123 PasswordViewPolicy.checkinCheckoutRequired=true PasswordViewPolicy.checkinCheckoutInterval=720 PasswordViewPolicy.dualAuthorizationInterval=720 PasswordViewPolicy.PasswordViewRequestMaxInterval=720 PasswordViewPolicy.PasswordViewRequestMaxDays=14

     

    It turns out, that i must also include PasswordViewPolicy.dualAuthorization=true on the command line for the CLI to pay attention to the other dual auth intervals; however, if PasswordViewPolicy.dualAuthorization=true is specified then PasswordViewPolicy.approverIDs="list,of,approver's,ids" must also be specified on the command line, irrespective of whether or not the list of approvers is already specified on the existing PVP and you  do not wish to update that list.

     

    The same goes for PasswordViewPolicy.emailNotificationRequired=true - if specified, then you must also specify PasswordViewPolicy.emailNotificationUserIDs="list,of,email,users,ids" (or PasswordViewPolicy.emailNotificationUsers="list,of,user,logins"), etc; regardless of whether those settings had already been configured as required.

     

    I may have missed it, but i don't recall seeing all these dependencies / requirements / intricacies in the documentation.

     

    thanks again for the support



  • 5.  Re: HOW TO: Use the CLI to update PVP Checkout Interval and more

    Posted 05-16-2019 11:04 AM

    Hi Seb, If not done yet, please open a support case and document these observations so we can follow up and fix what needs fixing.



  • 6.  Re: HOW TO: Use the CLI to update PVP Checkout Interval and more

    Posted 05-16-2019 12:45 PM

    ok will do.