Symantec Privileged Access Management

HI there,

Could somebody please shed some light on how this "List Other Accounts" privilege works in Credential Manager ?

On the documentation page, this privilege is not mentioned.
Add or Modify Credential Manager Roles

Based on my testing, it seems to me that the user will need this privilege if the user is going to use the CLI command addTargetAccount to add an account on CA PAM and the new account is going to use another account (already exists on PAM and referenced through the account ID number) to synchronize password with the endpoint.

Also, my testing shows that as long as the use has this privilege, the user can search all existing target accounts for the purpose of using them as the "other account" when creating new Target Accounts. The normal Target Group mechanism does not apply to this privilege, i.e. the user will be able to search for the Target Account even if the user does not have a Target Group that gives the user access to the account.

Is my understanding correct ? 

Regards,
Jiangping Li

Hello Jiangping, Sorry for the late response. Your understanding is correct on the first part. This is a very specific privilege and applies to the use of the "useOtherAccountToChangePassword" attribute in CLI commands. If this is true for a addTargetAccount, or for updateTargetAccount when the existing target account had it set to false, then this privilege is checked.
Note that this does NOT allow the user to search all existing target accounts for use as "other account", because it only is evaluated against the "useOtherAccountToChangePassword" attribute . You must have other privileges assigned that allow to list all target accounts. What PAM release were you testing on?
Original Message:
Sent: 08-05-2021 02:47 AM
From: Jiangping Li
Subject: PAM Credential Manager "List Other Accounts" privilege

HI there,

Could somebody please shed some light on how this "List Other Accounts" privilege works in Credential Manager ?

On the documentation page, this privilege is not mentioned.
Add or Modify Credential Manager Roles

Based on my testing, it seems to me that the user will need this privilege if the user is going to use the CLI command addTargetAccount to add an account on CA PAM and the new account is going to use another account (already exists on PAM and referenced through the account ID number) to synchronize password with the endpoint.

Also, my testing shows that as long as the use has this privilege, the user can search all existing target accounts for the purpose of using them as the "other account" when creating new Target Accounts. The normal Target Group mechanism does not apply to this privilege, i.e. the user will be able to search for the Target Account even if the user does not have a Target Group that gives the user access to the account.

Is my understanding correct ?

Regards,
Jiangping Li

Thanks Ralf,

I am on 3.4+ version of PAM.

Just received confirmation from Broadcom support, the account ID that you specify for the "Attribute.otherAccount" is not subject to the restriction of the Target Group that the user is assigned. This basically means that you can use any account as the "otherAccount" if somehow you know the ID of the account.

On the PAM client UI, the listing of account is restricted by the Target Group assigned as it has to go through the search account process.

Regards,
Jiangping Li
Original Message:
Sent: 08-24-2021 08:38 PM
From: Ralf Prigl
Subject: PAM Credential Manager "List Other Accounts" privilege

Hello Jiangping, Sorry for the late response. Your understanding is correct on the first part. This is a very specific privilege and applies to the use of the "useOtherAccountToChangePassword" attribute in CLI commands. If this is true for a addTargetAccount, or for updateTargetAccount when the existing target account had it set to false, then this privilege is checked.
Note that this does NOT allow the user to search all existing target accounts for use as "other account", because it only is evaluated against the "useOtherAccountToChangePassword" attribute . You must have other privileges assigned that allow to list all target accounts. What PAM release were you testing on?
Original Message:
Sent: 08-05-2021 02:47 AM
From: Jiangping Li
Subject: PAM Credential Manager "List Other Accounts" privilege

HI there,

Could somebody please shed some light on how this "List Other Accounts" privilege works in Credential Manager ?

On the documentation page, this privilege is not mentioned.
Add or Modify Credential Manager Roles

Based on my testing, it seems to me that the user will need this privilege if the user is going to use the CLI command addTargetAccount to add an account on CA PAM and the new account is going to use another account (already exists on PAM and referenced through the account ID number) to synchronize password with the endpoint.

Also, my testing shows that as long as the use has this privilege, the user can search all existing target accounts for the purpose of using them as the "other account" when creating new Target Accounts. The normal Target Group mechanism does not apply to this privilege, i.e. the user will be able to search for the Target Account even if the user does not have a Target Group that gives the user access to the account.

Is my understanding correct ?

Regards,
Jiangping Li

Ok, I believe you are saying now yourself that you can NOT list all accounts for use as other account in the UI, contrary to your initial statement. This is working as expected and as discussed in my previous response.
Original Message:
Sent: 08-27-2021 01:00 AM
From: Jiangping Li
Subject: PAM Credential Manager "List Other Accounts" privilege

Thanks Ralf,

I am on 3.4+ version of PAM.

Just received confirmation from Broadcom support, the account ID that you specify for the "Attribute.otherAccount" is not subject to the restriction of the Target Group that the user is assigned. This basically means that you can use any account as the "otherAccount" if somehow you know the ID of the account.

On the PAM client UI, the listing of account is restricted by the Target Group assigned as it has to go through the search account process.

Regards,
Jiangping Li
Original Message:
Sent: 08-24-2021 08:38 PM
From: Ralf Prigl
Subject: PAM Credential Manager "List Other Accounts" privilege

Hello Jiangping, Sorry for the late response. Your understanding is correct on the first part. This is a very specific privilege and applies to the use of the "useOtherAccountToChangePassword" attribute in CLI commands. If this is true for a addTargetAccount, or for updateTargetAccount when the existing target account had it set to false, then this privilege is checked.
Note that this does NOT allow the user to search all existing target accounts for use as "other account", because it only is evaluated against the "useOtherAccountToChangePassword" attribute . You must have other privileges assigned that allow to list all target accounts. What PAM release were you testing on?
Original Message:
Sent: 08-05-2021 02:47 AM
From: Jiangping Li
Subject: PAM Credential Manager "List Other Accounts" privilege

HI there,

Could somebody please shed some light on how this "List Other Accounts" privilege works in Credential Manager ?

On the documentation page, this privilege is not mentioned.
Add or Modify Credential Manager Roles

Based on my testing, it seems to me that the user will need this privilege if the user is going to use the CLI command addTargetAccount to add an account on CA PAM and the new account is going to use another account (already exists on PAM and referenced through the account ID number) to synchronize password with the endpoint.

Also, my testing shows that as long as the use has this privilege, the user can search all existing target accounts for the purpose of using them as the "other account" when creating new Target Accounts. The normal Target Group mechanism does not apply to this privilege, i.e. the user will be able to search for the Target Account even if the user does not have a Target Group that gives the user access to the account.

Is my understanding correct ?

Regards,
Jiangping Li