Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  What causes: HTTP error 404 - The requested resource is not available - when requesting passwords in the access tab?

    Posted May 17, 2019 10:22 AM

    On 3.2.4.62 CA PAM Physical Appliances

     

    A client has recently identified several users who attempt to use a credential for auto connect from the access tab.

     

    The action triggers the appropriate Dual Auth PVP - but user get  the following error message:

     

    This seems to occur for these users irrespective of which workstation they are using or whichever node or site they connect to.

     

    These users are 'Firecall' Aprrovers for certain accounts (by virtue of CM Group filtered by a Target Group) - including the accounts they are requesting (though they are not specifically listed in the PVP as the approvers for those accounts). Approvers can approve own requests.

     

    Another colleague has reported seeing something like this before where the user has some Firecall CM Roles/privileges but can't submit a password request via the Access tab on the client.

     

    The issue seems to have gone away when the CM Role was granted the following privileges:

    Get Target Account

    Get Password View Policy

    List Target Account.

     

    on the other hand, a standard user, doesn't seem to have this issue.

     

    Is this a known issue?

    If a standard user is also a CM approver, then the CM privileges conflict with the user's ability to request a password?



  • 2.  Re: What causes: HTTP error 404 - The requested resource is not available - when requesting passwords in the access tab?

    Broadcom Employee


  • 3.  Re: What causes: HTTP error 404 - The requested resource is not available - when requesting passwords in the access tab?

    Posted May 17, 2019 12:41 PM

    Thanks Joseph.

     

    according to that link

    ... when a user is assigned any role with the "Manage Credentials" privilege (for example, "Password Manager"), that user is removed from the "Standard Users" Credential Manager group and cannot view passwords on the Access page. 

     

    OK, but these users belong to multiple groups that do have the 'Standard User' PAM role assigned... you can see that via the 'Display inherited roles' - so perhaps there's an issue with user-groups inheritance of PAM-role privileges.

     

    but wouldn't it be possible to just explicitly add the 'Standard User' role back to the user?

     

    or would that not fix the underlying limitation?