search cancel

Error PAM-CMN-0155 when removing the role global administrator from a user in CAPAM


Article ID: 213339


Updated On:


CA Privileged Access Manager (PAM)


We are trying to remove the Global Administrator role from a CA PAM user and turn it into a Standard User, but this always fails with the following error

PAM-CMN-0155: User was not updated

This is a generic error which does not provide information about the underlying root cause. There are other articles dealing with this same error which provide different root causes and remediation procedures. The present article covers one possible root cause


This error may happen if the user we are trying to remove the Global Administrator role from holds some rights on the Credential Management part of the product. For instance if the user is a Password View Approver or its e-mail is listed as one of the accounts to notify for dual authorization.

Since a production environment may be difficult to troubleshoot due to the multiple intertwining group memberships and configurations, it is easy to miss the root cause for the error.

In this case it is advised to set Tomcat logs to FINE (Configuration --> Diagnostics --> Diagnostic Logs --> Log Levels --> Tomcat Log Level) and reproduce the error. Then download the Tomcat log.

In the said log there will be lines like the following

FINE: AdminCLIServlet.performTask T108942 skipping login event for comamnd='updateUser'.
Apr 14, 2021 9:02:12 AM checkUserBeforeUpdate
WARNING: UpdateUserCmd.checkUserBeforeUpdate User 1011  cannot be updated by removing approver permission, because it is a password view policy approver/email notifier.
Apr 14, 2021 9:02:12 AM update
SEVERE: Call to Gatekeeper service controller failed: PAM-CMN-0155: User CN=xxx, xx,OU=yyyyy,OU=zz,OU=tttt,OU=pppp,DC=jj,DC=kk was not updated.


CA PAM all versions


Check the tomcat logs in level FINE and remove the user from the groups, roles and functions listed in the log which are preventing operation. Check thoroughly that the user does not have any credential management related role, such as approver, email notifier, member of a credential management group, etc using the results of the catalina log while reproducing the problem,