We want to segregate device accounts between 2 users of PAM.
User1 manages the device and SO accounts and User2 manages DB accounts on the same device.
Neither one can see the password of the other and both, User1 and User2 are "delegated administrators".
The field "Description 1" and Dynamic Target Groups are used as a means of doing so, as suggested by the documentation.
Thus, User1 has "password manager" role pointing to User1Dyn target group, which has been created with the following filters:
- Server - Description 1 contains "User1Dyn"
- Application - Description 1 contains "User1Dyn"
- Account - Description 1 contains "User1Dyn"
The same logic applies to User2 with the corresponding "Description 1 which will now contain "User2Dyn"
A device shared between both users has in Description 1 "User1Dyn User2Dyn".
The same applies to Target Application Description 1 field, depending on whether it is shared or not (e.g. a shared application between both accounts will contain "User1Dyn User2Dyn")
After upgrading to version 3.1.1, this logic doesn't work the same way: If User1 wants to create a new "shared" device and tries to create one Target Application, it does not show in its Target Application list, even though it is actually created. What is more: User1 can't create an account on that Target Application because it doesn't show.
This used to work in versions 2.8.X but it no longer does. Is there any way to make the logic behave like in version 2.8.X ?