-
Title
After Migration to TPAM 2.5, CLI Users can not retrieve passwords. -
Description
Prior to migrating to TPAM 2.5, a CLI User ID could retrieve passwords. Using the same CLI command used with TPAM 2.4, this CLI account can no longer retrieve passwords in the new TPAM 2.5 Appliance.
Depending on the command and UserID permissions, the error "You are not authorized to perform this operation" may be seen.
-
Cause
In TPAM 2.5 the syntax of the CLI 'Retrieve' command has changed; the option '-RequestID' is now required.
In prior versions of TPAM, a User ID with Requestor permissions could retrieve a password without the "Request | Approve | Retrieve" process that a GUI requestor would use.
This has changed in TPAM 2.5, and a CLI User ID with Requestor permissions will also need to be authorized to retrieve a password by having an approved Request ID (or have ISA Permissions for the account).
-
Resolution
When using the 'Retrieve' CLI command in TPAM 2.5, note that the option "--RequestID" is required for regular requests; if the caller has ISA permissions then the system and account name must be provided instead of the RequestID.
From the TPAM 2.5 Administration Guide regarding the 'Retrieve' CLI command:
The CLI User ID must be authorized to retrieve the password, by either having ISA permissions for the account or having an approved Request ID.
Further information regarding the '--RequestID' option:
The RequestID must be an approved password release request and the
caller must be the requestor. If the caller has ISA permissions the
system and account name must be supplied instead of the requestID.