Symantec Privileged Access Management

  • 1.  HOW TO: Verify Generic Accounts?

    Posted 05-15-2019 09:34 AM

    A client recently shared this screenshot with me and wonders how can GENERIC accounts show up as verified / failed verification when, by definition, GENERIC accounts are vault-only account and not synched against a target system?


    any pointers?

  • 2.  Re: HOW TO: Verify Generic Accounts?

    Broadcom Employee
    Posted 05-15-2019 10:27 AM

    Hi Seb, This is not normal. Like you say generic accounts cannot be verified, and they don't show status on my PAM instance. Is it possible that the target application type was different at one point in time? And how were the accounts created, manually, via Remote CLI, via the Rest API, any other way?

  • 3.  Re: HOW TO: Verify Generic Accounts?

    Posted 05-15-2019 11:42 AM

    Since these are SYBASE SA accounts, the plan was always to on-board with application type GENERIC.


    The accounts may have been created via XSIE.

  • 4.  Re: HOW TO: Verify Generic Accounts?
    Best Answer

    Broadcom Employee
    Posted 05-15-2019 04:26 PM

    I suspect that an XSIE import is behind this, but I cannot comment on how XSIE publishes target accounts, as that tool is not part of PAM. I tried publishing generic accounts using the remote CLI and was not able to see this problem with PAM 3.2.4, even when explicitly setting properties for lastVerified and passwordVerified. Your import data may have been derived from other types of accounts with a lot of attributes set that are not right for generic accounts.

  • 5.  Re: HOW TO: Verify Generic Accounts?

    Posted 05-17-2019 12:46 PM

    Turns out XSIE was the culprit.


    The CSV file used to bulk upload with XSIE contains a column labeled 'Synchronize'; this controls the selection of the "Synchronization" options on the Password tab of the Account... and it completely disregards that it's a GENERIC account.


    Re-importing those accounts with that Column set to FALSE fixes the issue.