Symantec Privileged Access Management

 View Only

 Failed to change super user's email address

MARUBUN SUPPORT's profile image
MARUBUN SUPPORT posted Jun 10, 2025 05:01 AM

Hi Team,

We received the following question from an end user.

The end user is using 4.1.7(EOS) and has encountered PAM-CMN-5517.
Does this error also apply if the user changes their email address?

Also, the manual says that PAM-CMN-5517 was fixed in 4.1.5.
Is PAM-CMN-5517 an error that still occurs in 4.1.5 and later?

The error occurred when an end user changed the email address of the super user with the role "Global Administrator".

-

Product 
PAM v4.1.7 

-

Problem
-
When I tried to change the email address set for the super user, the following error occurred and I was unable to make the change.

"PAM-CMN-5517: The user cannot be changed because the approver role in the password display policy approval process is assigned to the user."

Please tell me the cause and solution.
(Are there any problems if an invalid email address is set for the super user?)
-

The solution to this would be the following:

> https://community.broadcom.com/question/regarding-errors-that-occur-when-modifying-a-user

Thanks,

Ralf Prigl's profile image
Broadcom Employee Ralf Prigl

Hello, There was a specific problem with super user updates that is fixed in 4.1.8 and 4.2.1+ only.

MARUBUN SUPPORT's profile image
MARUBUN SUPPORT

Would this problem be fixed by updating to 4.1.8 or 4.2.1 or later?
(... I confirmed that the problem occurs in 4.1.7, and that updating the PAM to 4.2.0(.826) resolves it.)

Also, if this is a known problem, is there a DE number or manual that mentions it?
Or is this an issue that has been identified internally?

Ralf Prigl's profile image
Broadcom Employee Ralf Prigl

4.1.8 has reached EOS and nobody should upgrade to that release at this time. Upgrade to 4.2.1 should resolve the problem. The related item on page Resolved Vulnerabilities and Issues in 4.2.1 is the following, but admittedly the description does not make that clear:

35397593
DE608872
User groups are not refreshed due to dual authorization.

That code change made for that defect is not in 4.2.0, but there was a comment saying that the problem was not reproduced with 4.2.0.

MARUBUN SUPPORT's profile image
MARUBUN SUPPORT

The customer is planning to update to 4.2.1 or later.

The server for the current email address will be lost, so the currently set email address will become an invalid email address. 
If an invalid email address is set as the super user, what kind of impact will this have?

Thanks,

Joseph Fry's profile image
Broadcom Employee Joseph Fry

If an invalid email address is set as the super user, what kind of impact will this have?

Other than emails sent to that user not getting delivered anywhere... there is no technical impact.  Obviously, if the super account is used as an approver, or if you have configured email self on login enabled, those emails will never arrive.  Otherwise PAM should continue to function normally; there is no dependency upon successful email delivery (eg One Time Password/two factor).