From WebService-Script:Certificate to decrypt was found, but the current user does not have enough permissions to read the private key...

We have installed PCA on AD as per PCA guide. We have provided all required permission but still receiving error in log for password change.

According to the documentation https://support.oneidentity.com/technical-documents/identity-manager/8.0/password-capture-agent-administration-guide/4#TOPIC-862983 there is at least a secured parameter WebServiceType that has to be switched to REST.

In Step 6, SOAP web service can be replaced with Application Server because I assume that you are connecting to the REST API instead of SOAP.

https://support.oneidentity.com/identity-manager/kb/189367/pca-private-key-decryption-warning-when-changing-user-password