We have a need for a custom delegated administrator role that is somewhat different from the default delegated administrator role found in PAM. Our delegated administrators will have specific device groups and user groups assigned by a PAM global administrator and should be able to accomplish the following tasks for the assigned groups:
The attached procedure was tested successfully with PAM 3.1.2 and PAM 3.2.
The attached document details one procedure to configure a role with the capabilities listed above. This includes creation of the access role, the credential manager (CM) role, and creation of the CM target and user group required for the delegated administrator.
For a discussion of built-in access roles with their privileges along with the privilege definitions, see page https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/configure-your-server/master-provisioning-settings/identify-desired-user-roles.
For information on credential manager roles and groups see https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/add-credential-manager-roles-and-groups.