Symantec Privileged Access Management

i'm using the 3.2.4 CLI to update several PVPs in bulk

i'm running the following command

capam_command cmdName=updatePasswordViewPolicy PasswordViewPolicy.ID=<pvpid> PasswordViewPolicy.dualAuthorization=true PasswordViewPolicy.dualAuthorizationInterval=720 PasswordViewPolicy.passwordViewRequestMaxInterval=720 PasswordViewPolicy.checkinCheckoutRequired=true PasswordViewPolicy.checkinCheckoutInterval=720 PasswordViewPolicy.passwordViewRequestMaxDays=14 PasswordViewPolicy.passwordChangeInterval=720

however when i run this i always get back this error:

<CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>4640</cr.statusCode><cr.statusDescription>PAM-CM-1080: The default password view request interval must be equal or less than the maximum password view request interval. Password View Policy default interval cannot be larger than maximum interval</cr.statusDescription><cr.result></cr.result></CommandResult>

i've tried increasing / decreasing each of the interval values by a little but nothing seems to work.

i've looked at the documentation and there is no default password view request interval property or default interval property ...

i've also tried to run this command:

capam_command cmdName=updatePasswordViewPolicy PasswordViewPolicy.ID=<pvpid> PasswordViewPolicy.dualAuthorizationInterval=720 PasswordViewPolicy.passwordViewRequestMaxInterval=720 PasswordViewPolicy.checkinCheckoutInterval=720 PasswordViewPolicy.passwordViewRequestMaxDays=14  PasswordViewPolicy.passwordChangeInterval=720

and though it don't get an error, it seems to complete successfully, the update doesn't actually occur. interval values are not changed on the PAM side.

what is the problem here?

What am i missing?

thanks in advance

Here's the full command

capam_command adminUserID=cliuser capam=pamserver.domain.com adminPassword=********** cmdName=updatePasswordViewPolicy PasswordViewPolicy.ID=1123 PasswordViewPolicy.checkinCheckoutRequired=true PasswordViewPolicy.checkinCheckoutInterval=720 PasswordViewPolicy.dualAuthorization=true PasswordViewPolicy.dualAuthorizationInterval=720 PasswordViewPolicy.passwordViewRequestMaxInterval=720

<CommandResult><cr.itemNumber>0</cr.itemNumber><cr.statusCode>4640</cr.statusCode><cr.statusDescription>PAM-CM-1080: The default password view request interval must be equal or less than the maximum password view request interval. Password View Policy default interval cannot be larger than maximum interval</cr.statusDescrip
tion><cr.result></cr.result></CommandResult>

if i perform these steps in the GUI, it works

Hi Seb, You are missing that the parameter names are case sensitive. Per our documentation page https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/programming/credential-manager-remote-cli-and-java-api/credential-manager-cli-commands/addpasswordviewpolicy/ the parameters are

PasswordViewPolicy.PasswordViewRequestMaxInterval
PasswordViewPolicy.PasswordViewRequestMaxDays

Note the capital Ps after the dots.

Thanks Ralf - again!

indeed, case got me again.

FTR, the GUI doesn't allow changing of the Check-in/Check-out interval without also changing Dual Auth Default and Max Request Intervals.

But the CLI does: running this command actually worked - I would've expected it to be a consistent behavior.

capam_command adminUserID=cliuser capam=pamserver.domain.com adminPassword=********** cmdName=updatePasswordViewPolicy PasswordViewPolicy.ID=1123 PasswordViewPolicy.checkinCheckoutRequired=true PasswordViewPolicy.checkinCheckoutInterval=720

Another observation - if i only want to set the intervals (as i do in the GUI), the command returns a status 400/success... but the dual auth intervals are ignored.

capam_command adminUserID=cliuser capam=pim-1pam004.mandtbank.com adminPassword=4lU8F6x3r81H3R cmdName=updatePasswordViewPolicy PasswordViewPolicy.ID=1123 PasswordViewPolicy.checkinCheckoutRequired=true PasswordViewPolicy.checkinCheckoutInterval=720 PasswordViewPolicy.dualAuthorizationInterval=720 PasswordViewPolicy.PasswordViewRequestMaxInterval=720 PasswordViewPolicy.PasswordViewRequestMaxDays=14

It turns out, that i must also include PasswordViewPolicy.dualAuthorization=true on the command line for the CLI to pay attention to the other dual auth intervals; however, if PasswordViewPolicy.dualAuthorization=true is specified then PasswordViewPolicy.approverIDs="list,of,approver's,ids" must also be specified on the command line, irrespective of whether or not the list of approvers is already specified on the existing PVP and you  do not wish to update that list.

The same goes for PasswordViewPolicy.emailNotificationRequired=true - if specified, then you must also specify PasswordViewPolicy.emailNotificationUserIDs="list,of,email,users,ids" (or PasswordViewPolicy.emailNotificationUsers="list,of,user,logins"), etc; regardless of whether those settings had already been configured as required.

I may have missed it, but i don't recall seeing all these dependencies / requirements / intricacies in the documentation.

thanks again for the support

Hi Seb, If not done yet, please open a support case and document these observations so we can follow up and fix what needs fixing.

ok will do.