Release : 3.2.X and 3.3.X
A possible cause for this problem may come from a momentary loss of connectivity to LDAP whenever a device or user group is regularly updated.
If there is a LDAP connection loss, CA PAM will fail to update the already existing device or user groups. For instance, it is possible to see messages like the following:
2020/04/28 14:12,__xcd_local__,system, --, --, --, --, --, --, --, --, --, --, --, --,"PAM-LDAP-0003: All servers to LDAP domain DC=Example,DC=Com are down. LDAP sync for group CN=PAM_GROUP1,OU=XD PAM,OU=PAM,OU=Universal Groups,OU=Groups,OU=Global,DC=Example,DC=Com group will not be attempted.",0, --,,0
2020/04/28 14:12,__xcd_local__,system, --, --, --, --, --, --, --, --, --, --, --, --,"PAM-LDAP-0008: Updating LDAP Group CN=PAM_GROUP2,OU=XD PAM,OU=PAM,OU=Universal Groups,OU=Groups,OU=Global,DC=Example,DC=Com group failed. Connection to all configured LDAP servers failed. 0 New Devices, 0 Updated Devices, 0 Deleted Devices, 0 Failed New Devices, 0 Failed Updated Devices, 0 Failed Deleted Devices, 0 Devices Retrieved From LDAP Directory Server",0, --,,0
which means that PAM was unable to retrieve any server or object from that LDAP server due to some kind of connectivity issue.
For consistency and security reasons, the PAM behavior in these cases is to delete the corresponding LDAP device or user group. If such LDAP group is assigned to a policy, the policy may end up deleted or me incomplete, preventing access to users or devices.