Some users have lost access to resources after upgrading from PAM 3.5 to 3.6

  • 7024201
  • 23-Oct-2019
  • 23-Oct-2019

Environment

Privileged Account Manager 3.6

Situation

After upgrading to PAM 3.6, some users have lost their access to resources, policy is not visible to the users in the Console.
PAM has been integrated with an external Directory Service such as Active Directory (AD) or Advanced Authentication (AA)
These users are granted authorization by cmdctrl via user groups applied to rule conditions.
These users are explicitly added to the membership of the group from the context of PAM (e.g. 'user' has been entered into the 'Users' field of the 'User Group' in PAM).
Users authorized via external group membership matching are not affected (e.g. 'user' is a member of an external ldap group, where the group fdn context has been entered into the 'Users' field of the 'User Group' in PAM).
For more context regarding the behavior seen, please refer to the Additional Information section below.

Resolution

There has been a change in how user name matching is being handled in PAM 3.6 when providing explicit user names in the User Groups of PAM. To better support multi-domain environments in this context, PAM now considers the domain name of the user before authorizing access via cmdctrl policies (e.g. Domain\User).

If any User Groups are configured for direct user name matching, they will need to be updated appropriately so that the intended user's domain name is also included. For example, if a User Group in PAM 3.5 was configured so that the 'Users' field contained 'usera', then in PAM 3.6, it should be corrected to 'domain\usera' so that it is more explicit or '*\usera' to permit any domain context.

Alternatively, consider another configuration approach where an external group match is performed instead, so that the user's group membership is considered rather than explicitly providing user names in this field.

Cause

Configured groups where 'user' is simply provided will not be considered authorized by cmdctrl policies in PAM 3.6 because the domain of the user is now considered. An explicit approach is now preferred.

Additional Information

For more context regarding the situation behavior, please see the below:

User Syntax *3.53.6
user
domain\user
*user
* Input provided in the 'Users' field of the User Group in PAM when configured for direct user matching.
Note: A check-mark indicates that the input syntax authorizes the user for access when applied to an appropriate cmdctrl policy.