I don't quite understand your scenario. I would want to see how you have the Target Group, Credential Role and Credential Group configured, and what Credential Groups are assigned to the user. I do know that there are issues related to this topic, and currently have a defect open for one particular aspect. I suggest that you open a Support Ticket, and include screen captures, showing how you have this configured and the result that leads you to believe PAM is not operating correctly. We can then try to duplicate the problem and open a defect with Engineering if necessary.