Errors PAM-UI-2401, PAM-CMN-2272 and-or PAM-CM-0688 when deleting user or imported group of users
Article ID: 108544
CA Privileged Access Manager - Cloakware Password Authority (PA)PAM SAFENET LUNA HSMCA Privileged Access Manager (PAM)
When trying to remove a user (or a group of imported users) the symptoms below are encountered.
When trying to delete a single account from Users > Manage Users the following error is received at the top of the page: Error: PAM-UI-2401: Error deleting user. User <Username> cannot be deleted because of a Password Authority error.
When trying to delete a group of users from Users > Manage Groups there may or may not be any error displayed on the screen immediately, even though this looks successful some account(s) may not be deleted.
In either case above, the session logs the following error is seen: PAM-CMN-2272: User <Username> is not deleted from Password Authority. Error Message: PAM-CM-0688: The specified user is an email notifier of a password view policy and cannot be deleted. Cannot delete a password view policy email notifier.
Note: This may also be triggered by deleting an LDAP user group or any other action where a user is being deleted.
Release: Component: CAPAMX
The PAM-CM-0688 error means that the user is currently configured to be notified by one or more of your password view policies. Unfortunately, this means that all Password View Policies (PVPs) will need to be reviewed to check the Email Notifications tab and find which ones have the affected user configured in them. This user needs to be removed from each affected PVP before the user can be deleted successfully.
This error should only affect administrative accounts since lower privilege accounts cannot be defined as Email Notifiers in PAM.