When the 'Allow Nested Groups' flag is selected in a Policy, any group defined within the LDAP Root of that User Directory is being granted access to that resource.  This is specific to the r12.8.08 Policy Server.

PRODUCT: Siteminder

COMPONENT: Policy Server

VERSION: r12.8.08 (build: 2892)

OPERATING SYSTEM: Any

This issue occurs specifically when 'Allow Nested Groups' is enabled in the Policy.   This can be verified in the AdminUI by reviewing the Users tab in a Policy.  It can also be verified in the UserPolicy object in XPSExplorer as well as an XPS Export file.

XPSExplorer:

PolicyFlags = 2(0x10): Default

Policy Store Export (.xml)

<Property Name="CA.SM::UserPolicy.PolicyFlags">
     <NumberValue>2</NumberValue>
</Property>
<Property Name="CA.SM::UserPolicy.FilterPath">
     <StringValue>CN={Group},OU={Groups},DC={Domain},DC={tLD}</StringValue>
</Property>
<Property Name="CA.SM::UserPolicy.FilterClass">
     <StringValue>group</StringValue>
</Property>

PolicyFlags = 2 indicates that "Allow Nested Groups" is enabled.

This issue is resolved in Siteminder r12.8.8.1

To fix in r12.8.8 (build 2892)

Download the patch for your Policy Server Operating System

Windows: 12.8.08 Windows Nested Group Fix.zip
Linux:       12.8.08 Linux Nested Group Fix.zip

Files are attached to this KB, however they can also be downloaded from the Symantec SiteMinder (Previously CA SSO) Cumulative Release Index page.

SiteMinder Policy Server Patch To Resolve Nested Groups Defect in Release 12.8.08

1) Stop the Policy Server

2) Unzip the OS appropriate patch

3) Back-up the original files. 

WINDOWS: 

<Install_Dir>\CA\siteminder\bin\smdsldap.dll
<Install_Dir>\CA\siteminder\bin\smdsldap_ms.dll

LINUX:

libsmdsldap.so

4) Copy the updated files from the patch to <Install_Dir>\CA\siteminder\bin\

5) Start the Policy Server