PAM is configured to connect to SDM web server. Based on the SOAP call error message, it is failing on the impersonate step. It returns the SOAP error message: get_handle_for_userid failed with userid 'sdmappuser' in the PAM c2o.log file.

sdmappuser is the SDM admin user and it has admin privileges. 

Similar message may also present as get_handle_for_userid failed with userid U'XXXX' where XXXX is a UUID value

Release : 17.3

Component : CA SERVICE MANAGEMENT

When integrating with PAM, the user "ServiceDesk" is leveraged first to run the impersonation step.  What has been seen is that the "ServiceDesk" user might have some limited permissions, such as being assigned an access type and role that does not have the appropriate "Grant Level" compared to the user being impersonated, in this case, user "sdmappuser".  

Another example might be if the user "ServiceDesk" had its assigned Access Type set to "Employee" and none of the roles under the "Employee" Access Type contains a "Grant Level" sufficient to allow access to impersonate the user "sdmappuser".  

In addition, the users involved, ServiceDesk, et. al. must all be assigned an Access Type whose "Licensed?" flag is set to "yes".  Impersonation requires the License setting to be enabled.

When the SOAP call is being made from PAM over to ServiceDesk, PAM first logs in as the user "ServiceDesk" and is trying to impersonate user "sdmappuser". In order to do that, SDM needs to ensure that the "Grant Level" of the the role linked to user "ServiceDesk" is higher or equal to the "Grant Level" of the role linked to user "sdmappuser".  Will need to check the permissions for user "ServiceDesk" or the access type and role linked to the user "ServiceDesk".

In addition, the "ServiceDesk" user account should also be assigned an access type that has the "Licensed?" Field set to "Yes".