Symantec Privileged Access Management

View Only

Failed to change super user's email address

MARUBUN SUPPORT posted Jun 10, 2025 05:01 AM

Hi Team,

We received the following question from an end user.

The end user is using 4.1.7(EOS) and has encountered PAM-CMN-5517.
Does this error also apply if the user changes their email address?

Also, the manual says that PAM-CMN-5517 was fixed in 4.1.5.
Is PAM-CMN-5517 an error that still occurs in 4.1.5 and later?

The error occurred when an end user changed the email address of the super user with the role "Global Administrator".

Product
PAM v4.1.7

Problem
-
When I tried to change the email address set for the super user, the following error occurred and I was unable to make the change.

"PAM-CMN-5517: The user cannot be changed because the approver role in the password display policy approval process is assigned to the user."

Please tell me the cause and solution.
(Are there any problems if an invalid email address is set for the super user?)
-

The solution to this would be the following:

> https://community.broadcom.com/question/regarding-errors-that-occur-when-modifying-a-user

Thanks,

Broadcom Employee Ralf Prigl posted Jun 10, 2025 04:57 PM

Hello, There was a specific problem with super user updates that is fixed in 4.1.8 and 4.2.1+ only.

MARUBUN SUPPORT posted Jun 12, 2025 02:53 AM

Would this problem be fixed by updating to 4.1.8 or 4.2.1 or later?
(... I confirmed that the problem occurs in 4.1.7, and that updating the PAM to 4.2.0(.826) resolves it.)

Also, if this is a known problem, is there a DE number or manual that mentions it?
Or is this an issue that has been identified internally?

Broadcom Employee Ralf Prigl posted Jun 12, 2025 03:25 PM

4.1.8 has reached EOS and nobody should upgrade to that release at this time. Upgrade to 4.2.1 should resolve the problem. The related item on page Resolved Vulnerabilities and Issues in 4.2.1 is the following, but admittedly the description does not make that clear:

35397593

DE608872

User groups are not refreshed due to dual authorization.

That code change made for that defect is not in 4.2.0, but there was a comment saying that the problem was not reproduced with 4.2.0.

MARUBUN SUPPORT posted Jun 16, 2025 04:42 AM

The customer is planning to update to 4.2.1 or later.

The server for the current email address will be lost, so the currently set email address will become an invalid email address.
If an invalid email address is set as the super user, what kind of impact will this have?

Thanks,

Broadcom Employee Joseph Fry posted Jun 16, 2025 09:40 AM

If an invalid email address is set as the super user, what kind of impact will this have?

Other than emails sent to that user not getting delivered anywhere... there is no technical impact. Obviously, if the super account is used as an approver, or if you have configured email self on login enabled, those emails will never arrive. Otherwise PAM should continue to function normally; there is no dependency upon successful email delivery (eg One Time Password/two factor).