On 220.127.116.11 CA PAM Physical Appliances
A client has recently identified several users who attempt to use a credential for auto connect from the access tab.
The action triggers the appropriate Dual Auth PVP - but user get the following error message:
This seems to occur for these users irrespective of which workstation they are using or whichever node or site they connect to.
These users are 'Firecall' Aprrovers for certain accounts (by virtue of CM Group filtered by a Target Group) - including the accounts they are requesting (though they are not specifically listed in the PVP as the approvers for those accounts). Approvers can approve own requests.
Another colleague has reported seeing something like this before where the user has some Firecall CM Roles/privileges but can't submit a password request via the Access tab on the client.
The issue seems to have gone away when the CM Role was granted the following privileges:
Get Target Account
Get Password View Policy
List Target Account.
on the other hand, a standard user, doesn't seem to have this issue.
Is this a known issue?
If a standard user is also a CM approver, then the CM privileges conflict with the user's ability to request a password?
I believe this is a known limitation. We have documented this here.
according to that link
... when a user is assigned any role with the "Manage Credentials" privilege (for example, "Password Manager"), that user is removed from the "Standard Users" Credential Manager group and cannot view passwords on the Access page.
OK, but these users belong to multiple groups that do have the 'Standard User' PAM role assigned... you can see that via the 'Display inherited roles' - so perhaps there's an issue with user-groups inheritance of PAM-role privileges.
but wouldn't it be possible to just explicitly add the 'Standard User' role back to the user?
or would that not fix the underlying limitation?