We have a need for a custom delegated administrator role that is somewhat different from the default delegated administrator role found in PAM. Our delegated administrators will have specific device groups and user groups assigned by a PAM global administrator and should be able to accomplish the following tasks for the assigned groups:

• Create a new device and add it to one of the device groups
• Create target applications and target accounts for the new device
• Create policies between users or user groups and the new device (or the device group it’s in) and add access methods and services with auto-login using one or more of the new target accounts

The attached procedure was tested successfully with PAM 3.1.2 and PAM 3.2.

The attached document details one procedure to configure a role with the capabilities listed above. This includes creation of the access role, the credential manager (CM) role, and creation of the CM target and user group required for the delegated administrator.

For a discussion of built-in access roles with their privileges along with the privilege definitions, see page https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/configure-your-server/master-provisioning-settings/identify-desired-user-roles.
For information on credential manager roles and groups see https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/add-credential-manager-roles-and-groups.