After enabling and configuring sesu, users are prompted for a password multiple times.

Example:
# sesu nonrootuser
Please enter your password:
Password:

In seos.ini there are 2 options related to how sesu requests passwords. When both of these flags are enabled they will both be requested when sesuing to a non-root user.

request_target_password: This token determines whether when the old_sesu token is set to no and the user is executing sesu to a non-root user, the password of the target user will be requested.

UseInvokerPassword: A Boolean value that determines whether sesu requests the invokers to specify their own passwords.

CA PIM Linux/UNIX endpoint with sesu feature enabled

The final resolution here would depend on the requirements for accessing the effected system. The UseInvokerPassword and request_target_password functionalities should be evaluated to determine which (if any) should be enabled. Once proper settings are determined, both values should be explicitly enabled or disabled in seos.ini. 

NOTE: Commenting out the token is not the same as explicitly disabling it because these tokens have default values. request_target_password specifically defaults to yes.

seos.ini editing instructions: 

1. Stop PIM daemons: # secons -s
2. Either manually edit the seos.ini file or use commands like the examples below to edit:
   # seini -s sesu.UseInvokerPassword yes
   # seini -s sesu.request_target_password no
3. Reload PIM daemons: # seload

SESU Configuration Documentation:
 https://docops.ca.com/ca-privileged-identity-manager/14-0/en/administrating/endpoint-administration-for-unix/safe-user-substitution/how-to-set-up-sesu-for-user-substitution/replace-the-system-s-su-utility-with-the-ca-controlminder-sesu-utility

SESU Token Documentation: 
https://docops.ca.com/ca-privileged-identity-manager/14-0/en/reference/configuration-files/the-seos-ini-initialization-file/sesu