Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  sesu access and nested AD group not working

    Posted Feb 13, 2019 11:56 AM

    sesu access policy is not working on a Unix endpoint when the AD authorization group is nested inside of another AD group.   Has anyone out there gotten this to work?  If so, what did you need to do?  I have tried setting this up in the past and never got it to work.  I suspect we need to make sure that all groups (both top level and nested one) have to be Unix enabled.  We are using Vintela as the AD client, not UNAB.  Feedback is appreciated!



  • 2.  Re: sesu access and nested AD group not working
    Best Answer

    Broadcom Employee
    Posted Feb 14, 2019 04:16 AM

    Hello Susan,

     

    As per the documentation

    https://docops.ca.com/ca-privileged-access-manager-server-control/14-1/en/administrating/endpoint-administration-for-windows/users-and-groups

    PIM / PAM SC supports authorization of nested groups to protected resources.

     

    When being logged on as that user please run

    $ sewhoami -a

     

    It should reflect all the group membership of this user.

     

    If in case of an AD user via UNAB this is not the case please open a support ticket and we will walk you through the various checks.



  • 3.  Re: sesu access and nested AD group not working

    Posted Feb 14, 2019 09:00 AM

    @Andreas Mueller - We are running 12.8.1 version of the endpoint, not 14.1.  Also, we are not using UNAB - we use a competing product for Unix LDAP client.  I am looking to find out if anyone with 12.8.* has gotten this to work.  I will open a case to get better help.