Credential Management has a list of reports that are accessed from the Credentials > Reports menu. We would like to allow some PAM users to run reports without inadvertently granting them other rights.

What are the minimum privileges to run credential management reports such as the Cluster State report?

Applies to any supported PAM release and environment as of February 2019.

PAM has privileges specifically for credential management reports. There is a built-in credential management role named ViewReports that is meant to be used for this purpose. It includes four privileges: Event Processing Status, Generate Report, List Reports and Schedule Report.
If you prefer to use custom roles rather than assigning the built-in ViewReports role, and want a user to be able to see the list of reports and run them but not necessarily schedule reports, you will need to include at least the following two privileges:

List Reports
Generate Reports

Multiple reports have filter options which may require additional privileges. The Cluster State report has an Origin Host Name filter. This refers to the Hostname column that specifies which host/cluster node a given log entry originated from. The filter allows you to select from the list of target servers defined in PAM. In most cases this is not useful for the Cluster State report since PAM cluster members typically are not defined as devices/target servers. If you wanted to use the filter anyway, you would need to be allowed to search/select target servers, which requires the following privilege:

Search Target Server

Other reports allow selections of specific target accounts, target applications etc. To allow use of the filters, you need to add the corresponding Search privilege, such as Search Target Account, Search Target Application etc.