Troubleshooting
Problem
While managing Guardium GUI user password with CyberArk, we are getting following insufficient privileges error in CyberArk GUI
"ErrorCode": "9",
"ErrorMessage": "update_user: User has insufficient privileges for the requested API function"
Symptom
Unable to manage Guardium GUI user password from CyberArk
Cause
CyberArk uses grdapi update_user command via RESTAPI to manage Guardium GUI user passwords.
From CyberArk log
25/06/2020 02:22:40.060 | Info -> BaseAction :: InitConfig -> Request Configuration:
https://xx.xx.xx.178:8443/oauth/token?
client_id=oauth_client1&client_secret=******&grant_type=password&username=test-user&password=******
Here, Guardium GUI user "test-user" is not a valid user, as it does not have the permissions to invoke the API functions.
Diagnosing The Problem
In the CyberArk logs, you will find the following error stack
###################################################################
25/06/2020 02:22:40.264 | Info -> BaseAction :: InitConfig -> Request Configuration:
https://xx.xx.xx.178:8443/restAPI/user Body: {"userName":"test_user","password":"******","confirmPassword":"******"}
25/06/2020 02:22:40.264 | Info -> BaseAction :: InitConfig -> END
25/06/2020 02:22:40.264 | Info -> BaseAction :: MakeRequest -> START
25/06/2020 02:22:40.264 | Info -> BaseAction :: SendHttpRequest -> START
25/06/2020 02:22:40.295 | Info -> BaseAction :: SendHttpRequest -> Response StatusCode: 200
25/06/2020 02:22:40.295 | Info -> BaseAction :: SendHttpRequest -> END
25/06/2020 02:22:40.295 | Info -> BaseAction :: ValidateCorrectResponse -> START
25/06/2020 02:22:40.295 | Info -> BaseAction :: ValidateCorrectResponse -> Body returned error: {
<strong>"ErrorCode": "9",
"ErrorMessage": "update_user: User has insufficient privileges for the requested API function "</strong>
}
25/06/2020 02:22:40.295 | Info -> BaseAction :: ValidateCorrectResponse -> END
25/06/2020 02:22:40.295 | Info -> BaseAction :: MakeRequest -> END
25/06/2020 02:22:40.295 | Info -> BaseAction :: GetErrorCodeAndMessage -> START
25/06/2020 02:22:40.295 | Info -> BaseAction :: GetErrorCodeAndMessage -> END
25/06/2020 02:22:40.295 | Info -> BaseAction :: ChangeUserPassword -> END
25/06/2020 02:22:40.295 | Info -> Change :: run -> END
####################################################################
Resolving The Problem
Please follow the steps to resolve the issue of insufficient privileges error
Step 1. Please create Guardium GUI user using accessmgr that has cli and accessmgr role
Example, we will create a Guardium GUI user 'ravi'
Step 2. Please Confirm that user can run grdapi update_user
Step 2.1. Login as guarcli1-5, in the below screenshot, we have login using guardcli5
Step 2.2. Please Set guiuser to 'ravi'
Step 2.3. Make sure grdapi update_user --help=true can be run with no error
Step 3. Please onboard the user created in Step 1 in CyberArk
In the example 'ravi' has accessmgr and cli privileges which should be on-boarded to CyberArk
To report issue related to Guardium, You can open case with IBM Technical Support in the usual manner by providing below diagnostics for further investigation.
1. Steps taken to integrate guardium_gui_user with CyberArk in a document (pdf/word)
2. support must_gather system_db_info
3. support must_gather app_issues reproducing the issue
3. support must_gather app_issues reproducing the issue
4. CyberArk logs with error
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z000000Gp0MAAS","label":"AUTHENTICATION"}],"ARM Case Number":"TS003683405","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.5.0;10.6.0;11.0.0;11.1.0;11.2.0"}]
Was this topic helpful?
Document Information
Modified date:
11 December 2020
UID
ibm16257475