The Administrative Activities report under Credentials > Reports > Run has many entries for Delete activities with type User. The name of the User is given as "super", but we do not use the super account for logon to PAM. The deleted users were imported from LDAP.
PAM periodically refreshes imported LDAP user groups based on the domain configuration on the Configuration > 3rd Party > LDAP page. PAM gets the current list of users from the LDAP server and compares it to the list of previously imported users for the group. If a user is no longer found in the LDAP user group, it will be removed from the group in PAM. If it is the only group that the user was member of, the user will be deleted. As this is internal activity, it is shown as executed by the internal admin account "super" in the Administrative Activities report.
Release : 4.0
Component : PRIVILEGED ACCESS MANAGEMENT
The activities of concern are triggered by the periodic refresh of imported LDAP groups. Users that no longer are in a group will be removed from PAM. This is expected behavior. The session log on the PAM server will show PAM-CMN-2254 messages similar to the following for each deleted user:
PAM-CMN-2254: User <Distinguished Name> successfully deleted. User <User Principal Name> is deleted from Password Authority.
These messages should be followed by a PAM-LDAP-0009 message listing how many users were added/updated/deleted from the group processed:
PAM-LDAP-0009: LDAP Group <Group Distinguished Name> updated. 0 New Users, 0 Updated Users, <X> Deleted Users, 0 Failed New Users, 0 Failed Updated Users, 0 Failed Deleted Users, <N> Users Retrieved From LDAP Directory Server
In a cluster these messages will be seen in the session logs of the current replication leader in the primary site, typically, but not necessarily, the first node in the primary site cluster configuration.