When logging into the CA Access Gateway (SPS) ProxyUI an error message
is displayed stating

  "Error: Exception User might not have required permissions to get group information"

and the ProxyUI logs show the following error :

  "ERROR - com.ca.sps.adminui.xpsclient.XPSConnection - Unable to establish administration context.".

When navigating to the "Administration" Tab and click the "Group
Configuration" link and click on the "Add" button, the following error
is displayed :

  "Error: Unable to Add a Group".

CA Access Gateway (SPS) 12.8

If the User logging into the ProxyUI is authenticated\authorized from
a User Directory in the ProxyUI Domain that is not properly configured
against the same User Directory as the External Administratos Store in
SiteMinder, then the user is not considered to be a SiteMinder
Administrator and these error messages will be encountered. In order
to create a Group Configuration in the ProxyUI, the logged in user
must be a Single Sign-On/SiteMinder Administrator.

To allow a SiteMinder Administrator to create Group Configurations
within the ProxyUI, a User Directory Connection must be created
against the same User Directory that was configured as the External
Administrator Store, and the connection information must match the
connection information entered in the External Administator Store
configuration. If the Server information for the External
Administrator Store was entered by "IP:PORT", then the Server
information for the User Directory Conection must also be defined by
"IP:PORT". If the Server information for the External Administrator
Store was entered by "FQDN:PORT", then the Server information for the
User Directory Conection must also be defined by "FQDN:PORT".

Further, if the Server information for the External Administrator
Store is configured with failover/load-balancing, then the Server
information for the User Directory Conection must also be defined with
failover/load-balancing. The User Directory connection information for
the User Directory in the ProxyUI Domain must "mirror" the connection
information defined for the External Administrator Store in order for
a User authenticated\Authorized from the User Directory to be
considered a SiteMinder Administrator and the ProxyUI to establish the
administration context.

If the External Administrative User Store was of type AD, ADLDS, or
ADAM, the User Directory configured to protect the ProxyUI should be
created in the LDAP namespace to allow the Authenticated User to be
identified as a SiteMinder Administrator.

Configure an External Administrator Store
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/administrators/configure-an-external-administrator-store.html

Protect the Administrative UI with SiteMinder
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/start-the-administrative-ui-and-manage-objects/protect-the-administrative-ui-with-siteminder.html