Having issues with a new userid added to an external security IBMGROUP.  Getting error is PKEX500E.  According to the package owner, the USERA can approve packages for the system, but USERB cannot and they are both in the approver group.   

Release : 18.0 18.1 

Component : CA Endevor Software Change Manager

In this situation PKGSEC=ESI - This setting allows a site to control package actions with external security packages such as ACF2, Top Secret and RACF using the Endevor ESI Interface. 

If PKGSEC=ESI is set in the C1DEFLTS table, ALL PACKAGE ACTIONS, INCLUDING APPROVAL INVOKE ESI. 

To approve a package, the user must be a member of the approver group whether it is an internal or external group.  If you are a member of the approver group, an ESI call is first made to check to see if the USERID is authorized to perform the REVIEW action.  The action can only be performed if the USERID is authorized, otherwise the action (review/approval) will be denied.