Upon modifying a Unix user account with ControlMinder, the rights of the file /etc/passwd or /etc/groups, etc. change and set to 644.
Applies to all supported environments for ControlMinder on Unix or Linux
Although it might not be obvious, what you see in this case is expected behaviour and is working by design.
By default CM is resetting group and passwd file ownership and file access rights to root and 644 upon update of a user and/or group.
This behaviour is meant as security feature, e.g. if the file was "stolen" by some other user.
Anyway, you can switch off this behaviour if you negate the default values of these tokens in seos.ini in [passwd] section