Password View Policy (PVP) which sets Re-authenticate for Auto Connect won't work in PAM 3.0.2 or 3.1.1 or later. if the user, which has only Standard User role, uses the target account to SSH access the target device. This problem is not detected in PAM 2.8.3.x.

When the user clicked the SSH button on the Access page, Available Credentials dialog was shown. Then the user clicked the account entry (root account) then the Auto Connect dialog appeared. However, when the user entered his password for re-authentication and click the [OK] button, he got the following error.

PAM-CM-0161: You do not have sufficient permissions to perform this operation.

The following are steps to reproduce the problem.
1. Set up a policy for a user with only Standard User role to have SSH access to a target device with a correct target account.
2. Created Password View Policy (PVP) which only enables Re-authenticate For Auto Connect and assigned this PVP to the target account.
3. Login as the user and do SSH access

 

PAM 3.0.2 or 3.1.1

This issue is addressed in PAM 3.1.2 which is available since 11 Jun 2018.
Please upgrade to PAM 3.1.2 to address this issue.

If you cannot upgrade PAM now you can do the following workaround, i.e. add Password Manager role (which has Manage Credential privilege) to the user with appropriate Credential Group.

See more detail about Create a Password View Policy in online documentation https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-6/protect-privileged-account-credentials/set-up-password-composition-and-view-policies/establish-password-view-policies/create-a-basic-password-view-policy.html