When configuring CA PAM to connect to target devices, it is not unusual to have a pool of Windows Domain target accounts available to connect to Windows target devices. In some cases, you may have more users than target accounts available - what would lead your team to run out of accounts to use, specially if connecting to the same Windows Server.

To avoid one user to take over the RDP Session from another user, you can check what target accounts are in use with what target devices. This is something CA PAM administrators have available by default, but it is possible to make it available for regular users.

CA PAM 3.2 and later.

You will create a new Role in CA PAM (or edit the Roles you already created for your teams, if any) adding the privilege named "All Logging". For more info, please check our documentation: https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/configure-your-server/master-provisioning-settings/identify-desired-user-roles

To create a new Role:

1. Access the menu Users and click on Manage Roles;
2. Click on ADD;
3. Type a name for your new Role;
4. Click on the Privileges tab;
5. Select the "All Logging" privilege on the list;
6. Click on the arrow pointing to the right to move the selected privilege to the Selected Privileges column;
7. Click OK.

Now you will add the new Role to your Users. To do this:

1. Access the menu Users and click on Manage Users;
2. Double-click the user you want to add the Role;
3. Click on the Roles tab;
4. Click on the plus (+) sign on the Roles line;
5. It will add a new line to the bottom of the list. Where you read [Please specify a role], click once to enable the dropdown;
6. Expand the dropdown and select your new role on the list;
7. Complete the form and click OK.

Now your users have access to the Sessions menu, with the Logs option. The image below is an example of what they will see:

<Please see attached file for image>