We are trying to remove the Global Administrator role from a CA PAM user and turn it into a Standard User, but this always fails with the following error
PAM-CMN-0155: User was not updated
This is a generic error which does not provide information about the underlying root cause. There are other articles dealing with this same error which provide different root causes and remediation procedures. The present article covers one possible root cause
CA PAM all versions
This error may happen if the user we are trying to remove the Global Administrator role from holds some rights on the Credential Management part of the product. For instance if the user is a Password View Approver or its e-mail is listed as one of the accounts to notify for dual authorization.
Since a production environment may be difficult to troubleshoot due to the multiple intertwining group memberships and configurations, it is easy to miss the root cause for the error.
In this case it is advised to set Tomcat logs to FINE (Configuration --> Diagnostics --> Diagnostic Logs --> Log Levels --> Tomcat Log Level) and reproduce the error. Then download the Tomcat log.
In the said log there will be lines like the following
FINE: AdminCLIServlet.performTask T108942 skipping login event for comamnd='updateUser'.
Apr 14, 2021 9:02:12 AM com.cloakware.cspm.server.app.impl.UpdateUserCmd checkUserBeforeUpdate
Apr 14, 2021 9:02:12 AM com.ca.pam.rest.UserService update
SEVERE: Call to Gatekeeper service controller failed: PAM-CMN-0155: User CN=xxx, xx,OU=yyyyy,OU=zz,OU=tttt,OU=pppp,DC=jj,DC=kk was not updated.
Check the tomcat logs in level FINE and remove the user from the groups, roles and functions listed in the log which are preventing operation. Check thoroughly that the user does not have any credential management related role, such as approver, email notifier, member of a credential management group, etc using the results of the catalina log while reproducing the problem,