We want to segregate device accounts between 2 users of PAM.
User1 manages the device and SO accounts and User2 manages DB accounts on the same device.
Neither one can see the password of the other and both, User1 and User2 are "delegated administrators".
The field "Description 1" and Dynamic Target Groups are used as a means of doing so, as suggested by the documentation.
Thus, User1 has "password manager" role pointing to User1Dyn target group, which has been created with the following filters:
Since we created a Target Dynamic group User1Dyn composed of Devices, Applications and Users having in Description1 User1Dyn, and a Target Dynamic group User2Dyn composed of Devices, Applications and Users having in Description1 User2Dyn, you will not be able to add the new accounts because of the AND condition for target accounts introduced in the definition of Target Dynamic Groups.
The problem is that we are trying to view all applications, accounts and servers meeting a specific condition while the target account is not yet created, so it will never be able to see the records
CA PAM version 3.X
To fix this we need to remove the Account restriction from the Target Group and then we can add the target applications & accounts successfully, later we need to add it back after accounts have been added