We have multiple LDAP user groups imported into CA PAM. Some of those groups use authentication type LDAP, others use RSA. When we add a user who had been in groups with LDAP authentication to a group with RSA authentication, the user's authentication type remains LDAP. We would like to change it to RSA, but when we edit the user, we find that the authentication type cannot be updated.

How can we control which authentication type is used for a user who is in multiple imported groups using different authentication types?

PAM Versions: All Versions as December 2023

The authentication type cannot be changed for individual imported users, but it can be changed on the group level. To make sure all users in a group that was imported using a given authentication type will use this group's authentication type to logon to CA PAM, edit the group in CA PAM, temporarily change the authentication type to something else, save the change and then change it back to the desired type. This will update the authentication type for all users in the group. The periodic synchronization of imported groups will not change it.

Note:  if a user is apart of multiple User Groups, whichever UserGroup is updated last, that is the Authentication Type that would be used