How to configure a user who must not view target accounts password


Article ID: 196789


Updated On:


CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)


We want to create a read only account which can only view accounts and not its password.
We want to use the feature introduced in 3.4 to assign the user the relevant Credential Manager privileges via a Session Manager Group.


We assigned the user the a Credential Manager Group / Credential Manager Role via a Session Manager Group.

Even the relevant Credentential Manager Role lacks the "View Target Account Password" privilege, the user is able to see all the Target Account's passwords in the details feature of each account.


Release : 3.4



PAM users not explicitly assigned any assigned Credential Manager Group always become default members of the Credential Manager Group (CMGroup) "Standard Users".  

The “Standard Users” CMGroup has FirecallUser role with “View Account Password” privilege.  
So, any member of “Standard Users” can view all target account passwords.  

This remains true even when the user might have inherited a CMGroup other than “Standard Users” by means of a Session Manager User Group (SMGroup).  

The only way to prevent the user from viewing the target account password in this case is to explicitly assign the user the Session Manager Role with “Manage Passwords” privilege, e.g., Password Manager role, and add the user to the CMGroup, such as “Base Users” that does not have View Account Password privilege.  This removes the user from the “Standard Users” CM group.  The user, therefore, no longer has View Account Password privilege.

Additional Information

Credential Manager Role Inheritance