Application SSO is not authorized when cmdctrl rule is placed as a child in hierarchy

Document ID:7023299
Creation Date:23-Aug-2018
Modified Date:13-Nov-2019
- Micro Focus Products:
  Privileged Account Manager (Privileged User Manager)

Environment

Privileged Account Manager 3.5

Situation

Application SSO does not work when the cmdctrl application rules are places as children to some parent cmdctrl rule:

> Rules
> Application SSO - "Works"

> Rules
> Parent rule without any condition criteria
> Application SSO - "Does not work"

Application Single Sign-On (AppSSO): Remote App and Direct Access Modes

Remote App Mode:

Launching Application SSO session from User Console (MyAccess) reports the following:

FAILED TO LAUNCH THE SESSION

You are not authorized to access this remote desktop session

Direct Access Mode:

Run as privileged user launches app, but does not auto-fill privileged credentials.

Resolution

Application SSO requires that any parent rule(s) in Command Control need to have the following configuration:

Rule Condition: "command IN Application SSO"
Modify the rule so that "Application SSO" checkbox has "Yes" selected

This has since been resolved in PAM 3.6.0.1:

https://www.netiq.com/documentation/privileged-account-manager-36/npam_3601_releasenotes/data/npam_3601_releasenotes.html#t49j7k4a84bg

Cause

Requirements for AppSSO on parent rules in Command Control hierarchy.

Additional Information

Example pseudocode for the parent rule(s):

Begin Rule :Application SSO
IF (command IN Application SSO)
THEN
Set Application SSO : yes

< Child AppSSO rules contained here >

END IF
END RULE :Application SSO