CAPAM is connected in AD, all users are being registered to CAPAM by Security Groups added to their account after groups were imported from AD.

Some of the Admin Accounts whose membership has already been removed are still retained in the CAPAM, that is they are not deleted as these accounts have a higher privilege.

Release : All Supported PAM releases.

Component : PRIVILEGED ACCESS MANAGER CREDENTIAL MANAGENENT

These Admin Accounts have a higher privilege as they are a part of "Breakglass Approvers" list (these Admins can retrieve passwords for target accounts in case of emergency)

In the Session Logs we have  "PAM-CMN-1583: 0 users deleted, 1 users not deleted for lack of privilege, 0 users not found, 0 LDAP users not deleted, 0 login contact users not deleted, 0 unknown user delete errors",0, --,,0"

The related admin accounts are part of "Breakglass Approvers", removing these accounts from the list of Breakglass Approvers helps in the deletion of these accounts from CA PAM.

None.