IBM Support

IBM Security Privileged Identity Manager Issues and Limitations



This document identifies the issues and limitations and provides workarounds for IBM Security Privileged Identity Manager.


Feature Issues or Limitations
Shared access consoles
  • IBM Security Privileged Identity Manager runs into JMS issues after a database restart.
  • Incomplete results in several PCM accounts and credential audit log events.
  • Resource name is not displayed in View My Requests in the Self-service user interface (SSUI).
  • Cluster node shows incorrect dashboard status for 3-node cluster setup.
  • A username that includes the ampersand character (&) causes an ISAMESSO Account warning.
  • Unable to delete secondary organization. For a workaround on this issue, see
  • When the administrative console and Service Center are opened at the same time, logging in to the Service Center redirects it to the administrative console homepage.
  • When adding or editing credentials in the Service Center, some fields might not be compatible with Internet Explorer 10.
  • Identity Feed Service uses workflow for reconciliation. For more information, see
  • When you are connecting multiple credentials, View Requests does not show a value for the Requested For value.
  • The IBM Security Privileged Identity Manager Service Center does not meet accessibility standards.
  • The maximum check-out duration value does not change when a new credential is added by using the default settings in the administrative console (Manage Shared Access > Configure Credential Default Settings).
  • When the credential is connected to an identity provider, the entry in the Resource Name column hyperlink is linked to the account form instead of the resource.
  • When a credential is checked out, the Check Out By column contains a hyperlink that goes to the Business Unit details page instead of the person form.
  • In the administrator console, expand Set System Security> Manage Views. The label Manage Password Providers should be Manage Identity Providers.
  • Issue: When performing an Advanced Search in the credential vault, you cannot search for other Business Units when a Business Unit is already selected.
    Workaround: Click Clear to remove the chosen Business Unit and search again to see all available Business Units.
  • Issue: Manage Access Request Workflow: Notify Activity does not have any available email templates.
    Workaround: See a more complete list of templates in Configure System > Workflow notification properties.
  • Managing privileged credentials on SoftLayer is currently not supported. See announcement.
Session recording
  • Session recording is not supported on the following versions of Internet Explorer:
    • Internet Explorer 8 or later when both the web browser Protected Mode and Windows 7 with User Account Control feature are enabled.
    • Internet Explorer 11 on Windows Server 2012, Windows 8.0, Windows 8.1, and Windows 10. For an updated list of web browsers and system requirements, see Detailed system requirements.
  • For applications that are designed with multiple tabs or multiple windows that run under a single process, session recordings are only supported when you launch only a single tab or window.
Automatic check-in and check-out
  • Issue: Credential injection fails when the user starts any of the applications, and at the time of injection the application is overlaid with another application, or with the lease expiry window.
    Workaround: Ensure that you place focus on the application until the application logon process is complete.
  • Issue: When using Remote Desktop Connection, AccessAgent offers to save the shared credentials after injecting the checked out user name and password. This issue occurs after the PIM_Profiles.eas AccessProfile is uploaded to the IMS Server.

    Workaround: Disable the sso_site_wnd_rdp6_with_options AccessProfile.
    1. Log in to AccessAgent as an ISAM ESSO administrator.
    2. Open AccessStudio.
    3. Choose File > Import data from local AccessAgent.
    4. From the list of AccessProfiles, select sso_site_wnd_rdp6_with_options.
    5. Select the General Properties tab.
    6. Under Signatures identifying web-page or exe where this AccessProfile is to be loaded, click Remove.
    7. Right-click sso_site_wnd_rdp6_with_options.
    8. Click Upload to IMS.
  • The IBM Security Privileged Identity Manager AccessProfile for Microsoft Remote Desktop Connection RDP client does not support the injection of shared credentials at the RDP lock screen.
  • Check-out and check-in of shared credentials cannot work for mainframe applications that run on z/OS® and i5 series, which have the following workflow:
    1. Inject user name.
    2. Press Tab.
    3. Inject password.
  • Multiple IBM Security Privileged Identity Manager credentials for one AccessAgent user is not supported.
  • When the user does not have an IBM Security Privileged Identity Manager credential in the user Wallet and simultaneously starts two applications, such as RDP and VMware vSphere Client, checking out shared credentials only works for one application where the user enters the IBM Security Privileged Identity Manager credentials when prompted by AccessAgent.
  • Shared access credential check-out in RDP only works when the General tab is selected.
  • Issue: Session recording fails with PuTTY 0.67.
    Workaround: Download the updated PuTTY AccessProfile.
  • Issue: Automatic check out fails on Windows 10.
    Workaround: Download the updated Remote Desktop AccessProfile.
Integration with IBM Security Access Manager When integrating IBM Security Privileged Identity Manager with IBM Security Access Manager, the user ID must not have spaces. This limitation affects the PIM Manager account.
To address this limitation, create another account with the same role or privileges as the PIM Manager account. You must perform the following steps before you enable IBM Security Access Manager fronting for IBM Security Privileged Identity Manager:
  1. Create a new user as the new system administrator user.
  2. Add the user to the System Administrator group in the administrative console.
  3. In AccessAdmin, under Administrative Policies for the user, update the role to Administrator.
Virtual appliance
  • When a user accesses the monitoring URI for the Identity service, the response is displayed in the following format: Service name, Time taken in milliseconds, response code.
  • In the Directory server configuration details window, the organization name and short names for the Directory Server (LDAP) cannot contain these characters: ` $ | < > &.
  • Topic: Setting up a stand-alone or primary node for IBM Security Privileged Identity Manager
    When you are specifying a custom root certificate in the Root CA Configuration page, the length of the Distinguished Name (DN) for the custom root certificate must not be longer than 128 characters. For example, CN=pim, OU=example, O=ibm, ST=cal, POSTALCODE=1067, C=US

Document information

More support for: IBM Security Privileged Identity Manager

Software version: 2.0.0, 2.0.1, 2.0.2

Operating system(s): Platform Independent

Reference #: 1981798

Modified date: 24 March 2017

Translate this page: