The client was writing selang rules in order to allow the use of SESU to certain AD users. Once the rules were written and the user was authorized to utilize the surrogate rule they still could not run sesu. The commands being used were as follows:
AC> exg XGROUP_NAME
Successfully updated XGROUP XGROUP_NAME
AC> er surrogate USER.SHORT_NAME defacc(n) owner(nobody)
Successfully created SURROGATE USER.SHORT_NAME
AC> auth surrogateUSER.SHORT_NAME via(pgm(/opt/CA/AccessControl/bin/sesu)) xgid(XGROUP_NAME) acc(r)
Successfully added XGROUP_NAME via PROGRAM /opt/CA/AccessControl/bin/sesu to USER.SHORT_NAME's PACL
With the execution of the sesu command it would result in "You are not allowed to su to User_name". This results because the username authorized and created with the surrogate rule is incorrect. The Active Directory is using full usernames for their AD and a short name as well for running commands and such. The issue is that the short name couldn't be distinguished as the full name. This being said the full name was required to be used for the creation of the rule and then the short name could be used to sesu to.
The 'auth' of the surrogate class (in this case) required the full AD account name be used for the rule although the short name is used for the running of the command.
AC> er surrogate USER.FULL_AD_NAME defacc(n) owner(nobody)
Successfully created SURROGATE USER.FULL_AD_NAME
AC> auth surrogate USER.FULL_AD_NAME via(pgm(/opt/CA/AccessControl/bin/sesu)) xgid(XGROUP_NAME) acc(r)
Successfully added XGROUP_NAME via PROGRAM /opt/CA/AccessControl/bin/sesu to USER.FULL_AD_NAME's PACL