After applying a recent cumulative patch to fix multiple PAM vulnerabilities, such as 4.1.5.50 for 4.1.5 or 4.1.6.50 for 4.1.6, password view request approvers no longer can approve pending requests, running into error

Error: PAM-CM-0161: You do not have sufficient permissions to perform this operation.

This happens for users with the built-in FirecallApprover role or a similar custom role.

A change in a call invoked during the approval process requires privilege "Get User Group", which is not in the built-in FirecallApprover role and typically not in any custom approver role that is based on the built-in role.

A temporary workaround is to add the "Get User Group" privilege to the Credential Manager role assigned to the approvers. The problem will be fixed in the next maintenance release 4.2.1 and a solution is expected to be included in a published hotfix for 4.2 in the second half of September 2024.