Can't use auto-connect after viewing a password that has a Dual Auth Password View Policy

Document ID : KB000100494
Last Modified Date : 13/06/2018
Show Technical Document Details
Issue:
A target account is configured with a password view policy (PVP) that requires dual authentication. There is no distinction between authentication for view or auto-connect in the PVP. But we find that approval allows only one type of password access, either for view or for auto-connect. While approved for password view, the account cannot be used for auto-connect, and vice versa.
Steps to reproduce:
1. Create a Password View Policy that has Dual Auth configured.
2. Add the Password View Policy to a target account
3. Use the target account as part of a policy for both auto-connect and password view
4. As the user of the policy you just created, login to PAM and view the password.
5. Try auto-connect by clicking the ssh button under the access method column.
Result: Error message: PAM-CM-1128: Password request is only approved for View (not Auto-Connect).
Environment:
PAM 3.2, the latest release at the time of writing, or any lower release.
Cause:
PAM by design is approving only a specific type of password access. 
 
Resolution:

This is working as designed. The main use of auto-connect is for users to be able to access a target device without having to know the credentials. In general it is not desirable to give the user access to the password when auto-connect is configured and granted. Similarly, if there is a need for password view, the expectation is that this is done for a purpose other than connecting to a target device through PAM, and the approval is for that specific purpose.

The corresponding messages, which are documented e.g. at https://docops.ca.com/ca-privileged-access-manager/3-2/EN/reference/messages-and-log-formats/pam-cm-credential-manager-messages, are consistent with the design:

PAM-CM-1128 = Password request is only approved for View (not Auto-Connect).

PAM-CM-1129 = Password request is only approved for Auto-Connect (not View).

If you have a business need for approvals that cover both types of account password use, please raise an idea on the PAM community site https://communities.ca.com/community/ca-security/ca-privileged-access-management . As of June 6, 2018 we don't see an open idea specifically for the issue discussed here.