Symantec Privileged Access Management

View Only

Is it possible to specify target group settings using wildcards?

MARUBUN SUPPORT posted Jan 19, 2024 03:57 AM

Hi Team,

Product

CA Privileged Access Manager

We use a scheduled job to change the passwords of target accounts every Sunday.

In the target account, the IP address of the device and the account are set as "notcontains Administrator".

I would like to exclude multiple accounts from a scheduled password update job.

This account is a common user that starts with 30 and has a - in between.

Example: 3011-AB

Question

Is it possible to set users as wildcards in the target group account settings?

For example, I would like to set it to "30**-**" so that other users are not included.

Thanks,

Broadcom Employee Ralf Prigl posted Jan 19, 2024 04:11 PM

Hello, No, that's not possible. The filters are evaluated as literal strings, not as regular expressions. We recommend to use one of the descriptor fields to group accounts as desired, and then filter on the descriptor.

MARUBUN SUPPORT posted Jan 23, 2024 03:42 AM

Hello,

We have additional questions for you to answer.

1. The account and application descriptors in the authentication information are like tags,

so am I correct in assuming that there is no difference between the application and account descriptors?

2. In the target group settings, there are "Target Application" and "Target Account".

Is it correct to understand that the AND result of "Target Application" and "Target Account" is targeted?

BestRegards,

Broadcom Employee Ralf Prigl posted Jan 23, 2024 10:54 AM

Hello, I don't understand the first question. Target applications and accounts are different objects and have their own description fields. What does "authentication information" refer to? For the second question you are correct as far as target accounts are concerned. If both target application and target account filters are defined, then only accounts satisfying both filters are included. But the list of target applications in the group only depends on the application filter, i.e. an application will be member of the group even if there is no account associated with it that satisfies the account filter.

MARUBUN SUPPORT posted Jan 24, 2024 04:13 AM

Hi,

Correct.

The account and application descriptors in the credentials are like tags.
Are you sure that there is no difference between application and account descriptors?

Best Regards,

Broadcom Employee Ralf Prigl posted Jan 24, 2024 04:36 PM

Again I don't understand your question. The descriptors are text field attributes that you can populate in credential management objects such as target accounts and target applications. Each object has its own descriptor values. If you set different values, they will be different. If you set the same values, they will be the same. Why is that subject to discussion?

MARUBUN SUPPORT posted Jan 30, 2024 03:55 AM

Hi,

We have received additional questions from our customers.

---

What does "own" in "own descriptor value" mean in the answer you received previously?

I didn't know what it was showing, so I checked to see if there was a value that could be specified.

Since it is a text field attribute, I am thinking of using it by setting "Password not updated", but even if I specified the filter "notcontains", I did not get the expected result, so I set the condition to the specified value. I am wondering if there is.

Regarding "If you set different values, they will be different. If you set the same values, they will be the same.", "What" will result in different values when different values are set in "descriptor"?

Or is it the result of a filter?

---

This question came up because a customer of ours had set up a filter and the results were not what they expected.

In the manual filter settings, if the group is static, only "equals" is valid.

Our customer found that setting the filter to "beginswith/endswith" produced the expected results.

Therefore, we believe that the target group is not a static group.

When "equals" is set, the filtered result will be the specified value.

When "beginswith & endswith" is set, the filtered result will be the specified value.

When "notcontains" was set, the filtered results did not match the specified value.

* "equals" and "notcontains" are set to the same 'Password not updated'.

Is there an example of what settings should be made for notcontains?

Thanks,

Broadcom Employee Ralf Prigl posted Jan 30, 2024 02:53 PM

Sorry, but I can't make sense of this any longer. A static group by definition has no filters. I suspect a lot gets lost in translation. Please open a Support case and discuss whatever problem you think you have with a local Support engineer on a call.