none
PAM REST API not returning roles as expected RRS feed

  • Question

  • I'm having trouble getting the MIM Privileged Access Management Example Portal working. It seems to be caused by the REST API.

    When trying to retrieve the roles in PAM I get the following result:

    PS C:\Windows\system32> invoke-webrequest -Uri 'http://localhost:8086/api/pamresources/pamrequests' -UseDefaultCredentia
    ls  -Method get


    StatusCode        : 200
    StatusDescription : OK
    Content           : {
                          "odata.metadata":"http://localhost:8086/api/pamresources/%24metadata#pamrequests","value":[

                          ]
                        }
    RawContent        : HTTP/1.1 200 OK
                        Pragma: no-cache
                        DataServiceVersion: 3.0
                        Persistent-Auth: true
                        Access-Control-Allow-Credentials: true
                        Access-Control-Allow-Headers: content-type
                        Access-Control-Allow-Origin: http...
    Forms             : {}
    Headers           : {[Pragma, no-cache], [DataServiceVersion, 3.0], [Persistent-Auth, true],
                        [Access-Control-Allow-Credentials, true]...}
    Images            : {}
    InputFields       : {}
    Links             : {}
    ParsedHtml        : mshtml.HTMLDocumentClass
    RawContentLength  : 110

    As is seen in the Content, there are no roles, but when running Get-PAMRole, I get the roles as expected:

    PS C:\Windows\system32> Get-PAMRole | select displayname

    DisplayName
    -----------
    CorpAdmins
    TFCAdmins
    WSAdmin

    Any ideas?

    Wednesday, May 10, 2017 1:10 PM

All replies

  • Hello,

    your REST request is querying the PAM requests you already made (the elevations) not the roles you are a candidate for.

    So you need to call the /api/pamresources/pamroles endpoint.

    https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/privileged-access-management-get-roles

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Wednesday, May 10, 2017 2:37 PM
  • Hi, thank you for your reply.

    Unfortunately the result is similar when quering for pamroles:

    invoke-webrequest -Uri 'http://localhost:8086/api/pamresources/pamroles' -UseDefaultCredentials -Method get


    StatusCode        : 200
    StatusDescription : OK
    Content           : {
                          "odata.metadata":"http://localhost:8086/api/pamresources/%24metadata#pamroles","value":[

                          ]
                        }
    RawContent        : HTTP/1.1 200 OK
                        Pragma: no-cache
                        DataServiceVersion: 3.0
                        Persistent-Auth: true
                        Access-Control-Allow-Credentials: true
                        Access-Control-Allow-Headers: content-type
                        Access-Control-Allow-Origin: http...
    Forms             : {}
    Headers           : {[Pragma, no-cache], [DataServiceVersion, 3.0], [Persistent-Auth, true],
                        [Access-Control-Allow-Credentials, true]...}
    Images            : {}
    InputFields       : {}
    Links             : {}
    ParsedHtml        : mshtml.HTMLDocumentClass
    RawContentLength  : 107

    Wednesday, May 10, 2017 2:49 PM