A PAM user with a firecall approver role not assigned directly to the user, but only to a user group that the user is member of, cannot be updated once the user is configured as approver in any password view policy. Any update attempt, e.g. trying to check or uncheck the "Account Enabled" flag, fails with error "PAM-CMN-0155: User xxx was not updated."
Release : 3.4.X, 4.0.0-4.0.1
Component : PRIVILEGED ACCESS MANAGEMENT
When the user is attempted to be saved, PAM does not recognize the inherited credential manager role and incorrectly finds a conflict between the present approver role and the user configuration to be saved. The tomcat log shows messages like:
Oct 21, 2021 11:57:01 PM com.cloakware.cspm.server.app.impl.UpdateUserCmd checkUserBeforeUpdate
WARNING: UpdateUserCmd.checkUserBeforeUpdate User 20001 cannot be updated by removing approver permission, because it is a password view policy approver/email notifier.
This problem will be fixed in PAM 4.0.2 and any future PAM releases.
For lower PAM releases you have two options to work around this problem:
1) Temporarily remove the user from password view policies.
2) Assign the user directly the Password Manager role and CM group membership that right now is inherited from user group membership.