Layer 7 Privileged Access Management

Expand all | Collapse all

Why are PAM User's Limited to 10 CM Groups?

Jump to Best Answer
  • 1.  Why are PAM User's Limited to 10 CM Groups?

    Posted 06-18-2019 05:35 PM
    Edited by Sebastiano Alighieri 06-19-2019 09:19 AM
    I'm working on an effort in which the client wishes to migrate several thousand 'Secrets' stored in Power Keeper (PK) to PAM.

    These secrets can be anything and are meant to be temporary and volatile in nature. Furthermore, these secrets are 'disjointed' from any target system/device, and therefore, vaulted in PAM as 'Generic' accounts.

    The current design behind the PK vault is such that each secret is linked to a 'Container' and each Container has 'Limited_Admins', 'Approvers' and 'Requestors'. Access and privileges to each PK Container is determined by role based access ACLs maintained on the PK System.

    We've managed to design something very similar in PAM; a setup that would offer a familiar experience and minimize user adoption time frame. That design is the following:

    1. One device: 'Vaulted-Accounts' Enabled for Password Management Only;
    2. One Application Per PK Container, each linked to the same, single device above;
    3. One Target Group per PK Container - Filtering on the Application Name and Device Name - yielding only the secrets in that container/application.
    4. Vault Secrets in PAM as Generic Accounts, linked to respective Application (PK Container)
    5. Up to 3 Credential Manager Groups Per PK Container (Filtered by respective Target Group and Role Limited_Admins, Approvers and Requestors)

    Each user having access and privileges in Power Keeper, would then be granted the same CM Group Membership. This would yield the best user experience in terms of searching, pwd viewing, account administration and request approval. No Policies involved.

    We are running into an issue in which multiple users have access to > 10 CM Groups. The system doesn't seem to allow more than 10 CM Groups to be assigned to a PAM User.

    we see the following errors:

    Any pointers would be appreciated.

    ------------------------------
    Services Architect
    HCL Technologies Ltd
    ------------------------------
    ​​​


  • 2.  RE: Why are PAM User's Limited to 10 CM Groups?
    Best Answer

    Posted 06-19-2019 02:41 PM
    Hi Seb, Try this CLI command (UNIX syntax used here):

    ./capam_command -n <PAMhost> -u <PAMadmin> -p <password> cmdName=setSystemProperty propertyName=maxUserGroupLimit propertyValues=25

    The maximum you can set it to is 25.


  • 3.  RE: Why are PAM User's Limited to 10 CM Groups?

    Posted 06-19-2019 02:41 PM
    Hi Seb, you should be able to increase the limit with the following CLI command (UNIX syntax used here). Note that you cannot increase it beyond 25. If you don't provide the password as parameter, you will get prompted for it.

    ./capam_command -n <PAMhost> -u <PAMadmin> -p <password> cmdName=setSystemProperty propertyName=maxUserGroupLimit propertyValues=25


  • 4.  RE: Why are PAM User's Limited to 10 CM Groups?

    Posted 06-19-2019 03:16 PM
    Edited by Sebastiano Alighieri 06-19-2019 03:40 PM
    Cheers mate,

    I have made the change as suggested and it worked.

    thank you.

    You can already anticipate the question but why only 25?

    Also, is that a system-wide change. or do I need to run it on every primary node?

    ------------------------------
    Services Architect
    HCL Technologies Ltd
    ------------------------------



  • 5.  RE: Why are PAM User's Limited to 10 CM Groups?

    Posted 06-19-2019 06:29 PM
    The limit was introduced several years ago to resolve a problem encountered when there was no limit. Details are no longer available.