At the console the user receives this message: 

   You (tibco) are not allowed to access to (crontab) because of pam configuration.

seaudit log shows a denial based on the Surrogate rule indicating no such rule

   28 Jan 2020 14:46:16 D SURROGATE    tibco      Read       69  2 USER.root            /usr/bin/crontab     lvntest004437 (OS user)        tibco

seos protects UID impersonation through the SURROGATE rule. The crontab executable uses a SETUID flag to allow users to use cron jobs as root user. This change in the UID is flaged and protected

[[email protected] ~]$ ls -la /usr/bin/crontab

-rwsr-xr-x. 1 root root 57664 Nov  5  2018 /usr/bin/crontab

Release : 12.8, 14.0, 14.1

Component : PRIVILEGED ACCESS MANAGEMENT SC 

Add a rule for all users. This does not override any system rules,

authorize SURROGATE ('USER.root') access(READ) id('*') via(pgm('/usr/bin/crontab*'))