Symantec Privileged Access Management

 View Only

 about PAM-CM-0161

Jump to  Best Answer
MARUBUN SUPPORT's profile image
MARUBUN SUPPORT posted Sep 17, 2024 05:04 AM
Product:
Privileged Access Manager 4.1.7
+ 4.1.7.50
Question
We have upgraded our PAM from 4.1.1 to 4.1.7 and applied hotfix 4.1.7.50.
The following error was displayed and the CA PAM client GUI would not allow us to accept or revoke password display requests.
Error: PAM-CM-0161: You do not have sufficient permissions to perform this operation.
We had configured FirecallApprover in the Authentication Manager role, so adding an additional “Sreach User Group” fixed the problem.
In this KB, it was “Get User Group”, but is “Sreach User Group” also a good solution?
https://knowledge.broadcom.com/external/article/376345/pamcm0161-you-do-not-have-sufficient-per.html
Thanks,

Ralf Prigl's profile image
Broadcom Employee Ralf Prigl  Best Answer

With the "Search User Group" privilege added the users will see page Credentials > Manage Credential Groups > Credential Groups. They cannot view any of the groups w/o Read permission. With the "Get User Group" privilege only this page is not visible to the user. Given that, adding the "Get User Group" privilege appears to be the better choice. I'm not aware of other differences.

Ralf Prigl's profile image
Broadcom Employee Ralf Prigl

Hello, Yes, the "Search User Group" privilege will also work. The first customer running into the problem used the "Get User Group" privilege and confirmed that it worked for them, so that is what is documented in the KB as a confirmed workaround.

MARUBUN SUPPORT's profile image
MARUBUN SUPPORT
Add Question
 
If I do a workaround by setting up a “Search User Group” or a “Get User Group”, will this privilege allow the user to perform any other operations?
Thanks,

MARUBUN SUPPORT's profile image
MARUBUN SUPPORT

Let me check again.

In the case of the "Get User Groups" permission, can I assume that there are no side effects?

Ralf Prigl's profile image
Broadcom Employee Ralf Prigl

I have nothing to add to my previous update, maybe somebody else has.