These steps are to create a Credential Manager Group to allow the user to have any permission on any target account but not to view the passwords. This article was created based in a request to deny the view password access to the Global Administrators in PAM

Release:
Component: CAPAMX

Steps:

1. Copy the "System Admin" CM Role and remove the " View Account Password " privilege:
   1. Go to Credentials > Manage Credencial Groups > Credential Roles.
   2. Click on "System Admin" role and click on "Copy". 
   3. Rename the new Role and click on "OK".
   4. Select the new role created and click on Update.
   5. Search for "View Account Password" at the right column and move the privilege to the left. Click on "OK".
2. Create a new Credential Manager Group and assign the new role:
   1. Go to Credentials > Manage Credencial Groups > Credential Groups.
   2. Click on the "Add" button.
   3. Enter a name to the Credential Manager Group.
   4. In the Role field search for the Credential Role created.
   5. Click on "Ok".
3. Grant the privileges to the user:
   1. Go to Users > Manage Users.
   2. Select the User and go to Credential Manager Groups.
   3. Select the new group created and click on "Ok".

The preconfigured Access Roles with Credential Manager privileges are:

• Global Administrator
• Operational Administrator
• Password Manager

The Credential Manager Group is then assigned to a User account through the Credential Manager Groups tab. This tab has settings that are enabled when you select an Access Role with Credential Manager privileges.

CA Privileged Access Manager is preconfigured with the provisioned Credential Manager Group "System Admin Group". This might appropriately be used to provision a Global Administrator using the PM Groups setting.