search cancel

Only useless PAM-UI-2401 error logged when user deletion fails

book

Article ID: 230139

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We had a user that we we unable to delete from our CS appliance cluster. The user has left, however he was a global admin and we were neither able to delete his account or modify the role and credential manager group.  The UI only showed the rather useless message "PAM-UI-2401: Error deleting user. User <username> cannot be deleted because of a Password Authority error.". With the help of Support we found that the user still was configured in one of our password view policies as email notifier, and after updating the corresponding PVP we were able to delete the user. But there was no message on the UI or in the session logs that would have pointed us in the right direction. We don't find the PAM-CMN-2272 or PAM-CM-0688 messages discussed in KB 108544.

Environment

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

There was a change in PAM code that caused the session log messages mentioned in the old KB to be dropped.

Resolution

This problem will be fixed in 3.4.6, 4.0.2 and future main releases. A message will be written to the session log with details on why the user deletion failed.