search cancel

Unable to Unassign Policy using the ENTM UI


Article ID: 21013


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)



After deploying a policy on a windows endpoint, unable to unassign the policy from ENTM UI

<Please see attached file for image>

Figure 1

The following error is received in the policyfetecher.log on the endpoint where the unassign fails

  • creating RULESET "Test policy loc group#01"...
  • Deleting local POLICY "Test policy loc group#01" - has different signature than DH
  • ERROR: command "rmres POLICY ("Test policy loc group#01") noexit" returned failures, rv = 36882
  • LCA returned (localhost)

WARNING: The policy: Test policy loc group#01 is deployed. The policy cannot be deleted.


The following commands need to be invoked on the endpoint and the ENTM server via 'selang'


  1. Compare the policy signatures on both the endpoint and DMS using the following 'selang' commands:
         AC>sr policy("Test policy loc group#01") useprops(EXTENDED_SIGNATURE)
  2. Recalculate the signature on the DMS__ and DH__ if a difference is found:
         AC>chres POLICY("Test policy loc group#01") finalize noexit
  3. Unassign policy in ENTM UI tab Policy Management Assignment -> UnAssign Policy (see screenshot above)

    To Manually Delete a Policy from the endpoint and DMS, see the steps below:


1.On the endpoint do the following via selang;

'find POLICY' and identify the policy that needs removing

2.undeploy POLICY ( policyName )

3.rr RULESET ("policyName#01") noexit

4.rr POLICY ("policyName#01") noexit

5.rr GPOLICY ("policyName")

Note that the policy version number from steps 1-2 may be different

6.Run 'find DEPLOYMENT' and 'find GDEPLOYMENT' on both endpoint and DMS, any objects that exist on the endpoint but NOT on the DMS need to be removed from the ENDPOINT with:

rr DEPLOYMENT deploymentName

rr GDEPLOYMENT deploymentName


Note: To connect to the DMS__ and DH__ through the command line, please use the following 'selang' commands from the Enterpriser Management server

AC>host [email protected]>   
AC>host [email protected]>


Release: ACP1M005900-12.8-Privileged Identity Manager


1558700341362000021013_sktwi1f5rjvs16p0f.gif get_app