Why can't I get the LDAP device group tags saved to PAM?

Document ID : KB000103946
Last Modified Date : 03/07/2018
Show Technical Document Details
Introduction:
You may have experienced that the tags are not stored when belonging to an imported LDAP device group.
They appear blank the next time the imported LDAP group is edited.
However, if the device group is manually created then the tags are properly saved.
Question:
Why can't I get the LDAP device group tags saved to PAM?
Environment:
Any Virtual or Hardware Appliance running any PAM version. (as of June 2018)
Answer:
As per the product internal code this is working as designed, as the tags should/will ONLY be applicable to device group, if any only if, the provision type is LOCAL.
In other provision types like AWS/LDAP, the tag specification will just be ignored though specified like you observed.
Additional Information:
The reason why you see the tags applicable when you do manually but not through LDAP import is for the same reason.
During import the provision type happens to be LDAP, while manually done you would have kept it LOCAL.
If you specify AWS as provisioning type when manually creating the group, you can observe the tags taking no effect though specified.