Sessions disappear from User Console page (myaccess) after configuring AAF

  • Document ID:7023181
  • Creation Date:17-Jul-2018
  • Modified Date:17-Jul-2018
    • Micro Focus Products:
      Privileged Account Manager (Privileged User Manager)

Environment

Privileged Account Manager 3.5
Privileged Account Manager 3.2
Identity Manager (IDM) 4.7

Situation

After configuring AAF, sessions disappear from User Console page (myaccess)
Logs: Error, Peer authorization error mfclient\user1@pamsrvr accessing admin.logSession

Resolution

The fix is to configure IDM driver policy to set UserGroup member as <domain>\<user> instead on <user> alone. Please configure PAM driver to add value of UserGroup member as domain\username.

Cause

AD user is not able to see the policies assigned to him, as his user name is read by PAM as <domain>\<user> instead of <user>. This happens only in IDM + AAF combination.

Status

Reported to Engineering

Additional Information

Steps to Duplicate:

  1. Create UserGroup
  2. Create Rule for RDP
  3. link RPD session to the Rule
  4. Login to Myaccess page as a user and check that the RDP Session is listed.
  5. Link UserGroup to the rule and check that the RDP Session disappears from the list.
  6. Using Idmdash create Resource with entitlement, select UserGroup Entitlement and select the UserGroup created in step 1 as the entitlement value.
  7. Assign the resource to the user and check that the RDP Session is listed again.
  8. Configure AAF and in the RDP Session Rule enable second factor authentication.
  9. Notice that the RDP session is no longer listed.