Dynamic Target Groups do not seem to work correctly

Document ID : KB000108643
Last Modified Date : 31/07/2018
Show Technical Document Details
Issue:
We want to segregate device accounts between 2 users of PAM.

User1 manages the device and SO accounts and User2 manages DB accounts on the same device.

Neither one can see the password of the other and both, User1 and User2 are "delegated administrators".

The field "Description 1" and Dynamic Target Groups are used as a means of doing so, as suggested by the documentation.

Thus, User1 has "password manager" role pointing to User1Dyn target group, which has been created with  the following filters:
  • Server - Description 1 contains "User1Dyn"
  • Application - Description 1 contains "User1Dyn"
  • Account - Description 1 contains "User1Dyn"
The same logic applies to User2 with the corresponding "Description 1 which will now contain "User2Dyn"

A device shared between both users has in Description 1 "User1Dyn User2Dyn".

The same applies to Target Application Description 1 field, depending on whether it is shared or not (e.g. a shared application between both accounts will contain "User1Dyn User2Dyn")

After upgrading to version 3.1.1, this logic doesn't work the same way: If User1 wants to create a new "shared" device and tries to create one Target Application, it does not show in its Target Application list, even though it is actually created. What is more: User1 can't create an account on that Target Application because it doesn't show.

This used to work in versions 2.8.X but it no longer does. Is there any way to make the logic behave like in version 2.8.X ?
Environment:
CA PAM version 3.X
Cause:
Since we created a  Target Dynamic group User1Dyn composed of Devices, Applications and Users having in Description1 User1Dyn, and a  Target Dynamic group User2Dyn composed of Devices, Applications and Users having in Description1 User2Dyn, you will  not be able to add the new accounts because of the AND condition for target accounts introduced in the definition of Target Dynamic Groups. 

The problem is that we are trying to view all applications, accounts and servers meeting a specific condition while the target account is not yet created, so it will never be able to see the records

 
Resolution:
To fix this we need to remove the Account restriction from the Target Group and then we can add the target applications & accounts successfully, later we need to add it back after accounts have been added