Symantec Privileged Access Management

  • Private Community
 View Only

 About capam_command

Jump to  Best Answer
MARUBUN SUPPORT's profile image
MARUBUN SUPPORT posted Jul 12, 2024 01:36 AM
Hi Team,
We have received a question from a customer, so please confirm it.
 
[Product name]
CA Privileged Access Manager
 
Please confirm the specifications for obtaining PAM application data using the following command:
"D:\tools\aslic\request_data\capam_command"
 
Question 1
Are there any restrictions, such as size limits, on the log file output by this command?
 
Question 2
Is it possible to specify an option that specifies the application date of the data to be obtained?
If possible, please tell us the name of the option. It would be very helpful if you could attach an example of execution.
 
Question 3
Is it possible to check the application data obtained by this command from the PAM management console?
If possible, please tell us how to check.
Thanks,
Ralf Prigl's profile image
Broadcom Employee Ralf Prigl posted Jul 12, 2024 04:06 PM  Best Answer

A1: This command does not write a log file. If the question is meant to ask about the size of the returned data, there is no limit.

A2: Remote CLI commands are listed under documentation page Credential Manager CLI Commands. Each command has a documentation page that lists required and optional parameters. Sample commands are provided as well.

A3: I don't understand where the PAM Management Console would come in here. I can only guess that maybe you didn't mean to refer to the management console at all, but to the PAM UI. Remote CLI calls typically return a list of objects, such as target accounts You can edit an account in the UI and compare its properties to what the remote CLI call returned for this particular account.

MARUBUN SUPPORT's profile image
MARUBUN SUPPORT posted Jul 18, 2024 04:52 AM

The customer has an additional question.

-
> A1: This command does not write a log file. If the question is meant to ask about the size of the returned data, there is no limit.

I believe this command extracts application data from a database and outputs it, but are there any limitations on that database?
The application data extracted from this command never exceeds 10,000 items, and any data exceeding that number does not appear to be recorded.

-

The customer is outputting logs.
However, they are outputting old logs, but not recent logs.
Therefore, they are asking if there is a limit to the size of the data output.

Thanks,

Ralf Prigl's profile image
Broadcom Employee Ralf Prigl posted Jul 18, 2024 11:12 AM

For commands where there is a potential to return a very large set of data that the requesting application may not be able to handle, paging is enabled. E.g. if you look at the documentation page for command searchTargetAccount, you can see that it allows you to define parameters Page.Number and Page.size with default values of "1" and "10000". If you don't set these parameters explicitly, you will get the first 10000 items, sorted according to the Sort.Property and Sort.Direction parameters. As documented on that page as well, the default sorting is by ID and in ascending order, which implies that the 10000 oldest target accounts will be returned.

MARUBUN SUPPORT's profile image
MARUBUN SUPPORT posted Jul 18, 2024 08:55 PM

Hi Ralf,

Thank you for your help.

Please let me ask you question.

I checked the Techdoc.(https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-7/programming/credential-manager-remote-cli-and-java-api/credential-manager-cli-commands/searchtargetaccount.html)

Can we change the default value for Page.Size(10000)?

If it is possible, please let me know how to change the default value?

Best regards,

Marubun,

Ralf Prigl's profile image
Broadcom Employee Ralf Prigl posted Jul 18, 2024 09:49 PM

No, the default values are hardcoded for each command. Specifying Page.Size=0 should retrieve all items, but has the risk of running into Out-Of-Memory errors if the result set is very large.

MARUBUN SUPPORT's profile image
MARUBUN SUPPORT posted Jul 29, 2024 05:29 AM
Hi Ralf,
 
Thank you for your help.
The customer has an additional question.
Q1
I'm going to change the sort order of searchPasswordViewRequest from desc (descending) to asc (ascending) and try executing it.
I believe the way to specify command options is to enclose them in " (double quotes), but is that correct?
I think it's correct to add "Sort.Direction=asc" after the command, but I'd like your opinion.
... cmdName=searchPasswordViewRequest "Sort.Direction=asc" ...
Q2
About Sort.Property
By default, it is sorted by PasswordViewRequest.status, but what does "status" mean?
What does this status mean, and what operations change this status?
-
Best regards,
Ralf Prigl's profile image
Broadcom Employee Ralf Prigl posted Jul 30, 2024 04:18 AM

Yes, the Sort.Direction parameter is right, as documented. The various status values are listed with the listPasswordViewRequestByAccount command. What operation changes the status should be evident from the status name. E.g. it changes to Approved when an approver approves the request. See also the Status column in UI pages such as Credentials > Workflow > All Requests.