You are trying to remove the Global Administrator role from a CA PAM user and turn it into a Standard User, but this always fails with the following error:

PAM-CMN-0155: User was not updated

This is a generic error which does not provide information about the underlying root cause. There are other articles dealing with this same error which provide different root causes and remediation procedures. The present article covers one common root cause.

This error may happen if the user you are trying to remove the Global Administrator role from is used in configurations that are valid only for privileged Credential Manager users. For instance the user may be configured as approver in a password view policy (PVP) using dual authorization, or as a selected user under the Email Notification tab of a PVP.

Current (as of January 2025) PAM releases should have a useful message in the session logs (Sessions > Logs) such as:

PAM-CMN-2261: Password Authority failure to try to activate user tempglobaladmin. Message: PAM-CM-0702: The approver permission cannot be removed; the specified user is an approver of 0 password view policy(ies) and email notifier of 1 password view policy(ies)..

The tomcat log, which can be downloaded from the Configuration > Diagnostics > Diagnostic Logs > Download page, also should contain messages of interest similar to the following:

2025-01-10T19:00:42.293+0000 WARNING [TP10] com.cloakware.cspm.server.app.impl.UpdateUserCmd.checkUserBeforeUpdate UpdateUserCmd.checkUserBeforeUpdate User 10092001  cannot be updated by removing approver permission, because it is a password view policy approver/email notifier.

2025-01-10T19:00:42.314+0000 SEVERE [TP3] com.ca.pam.rest.UserService.update Call to Gatekeeper service controller failed: PAM-CMN-0155: User tempglobaladmin was not updated.

Review your password view policies and remove the user as email notifier or approver where found.