Add the target devices in email template sent to the approver

Document ID : KB000113607
Last Modified Date : 12/09/2018
Show Technical Document Details
Introduction:
Approver may expect receive in e-mail the hostname of device that user will access. But this works differently.
This sample shows one e-mail received by approver user to approve access for user account s-pam-iotnetmgmt to access the server brvix5vaotvs001.mydomain.net. Notice that this hostname of device is not showed in e-mail body:

Subject: Password View Request for target account s-pam-iotnetmgmt

Body:

Do not reply to this email.

A password view request has been submitted with the following details:

Requestor : spider.man@domain.com Requested Account: s-pam-iotnetmgmt
Requested Account Target Application Name: brqsb1domaindc001-wds
Requested Account Target Server: brqsb1domaindc001.domainnet.domainglobal.net
Requested Account Target Device Name: brqsb1domaindc001.domainnet.domainglobal.net
SSO Type: Any
Request Reason: Other (Teste)
Start Date: 2018-08-08 18:43 BRT
End Date: 2018-08-08 20:43 BRT

Click here to Approve this Request

Click here to Deny this Request

See that fields that refer device and hostname contais ony the domain controller - not the endpoint that use needs to access.
Environment:
PAM 3.2
Device RDP
Intergated with MS-AD
Instructions:
When you go to the target accounts page in Password Management, you will see columns Account Name, Application Name, Host Name and Device Name. These will be the ones that are shown in the request emails. 

For a domain account pulled into Password Management e.g. by a Windows Domain Services target connector, the target device would be the device associated with the WDS target connector application. 

In your email the account comes from the "accountname" device, which I assume is your domain controller. 

This is working as designed. A password view request is in the context of the target account. For a given account there is only one password to view. Once you have the password view request approved, you can use that account to logon to any device accessible with this account, because you have access to the accounts's password. 

Basically you have to consider that a password view request is what it says, it's not a request to access a specific target device, even though that is what your user may be trying to do at the time. 

The approvers have to be aware of that, and they should be able to understand the nature of the account from the target application and target host values.