How to configure a user who must not view target accounts password

book

Article ID: 196789

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

We want to create a read only account which can only view accounts and not its password.
We want to use the feature introduced in 3.4 to assign the user the relevant Credential Manager privileges via a Session Manager Group.

Cause

We assigned the user the a Credential Manager Group / Credential Manager Role via a Session Manager Group.

Even the relevant Credentential Manager Role lacks the "View Target Account Password" privilege, the user is able to see all the Target Account's passwords in the details feature of each account.

Environment

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

PAM users not explicitly assigned any assigned Credential Manager Group always become default members of the Credential Manager Group (CMGroup) "Standard Users".  

The “Standard Users” CMGroup has FirecallUser role with “View Account Password” privilege.  
So, any member of “Standard Users” can view all target account passwords.  

This remains true even when the user might have inherited a CMGroup other than “Standard Users” by means of a Session Manager User Group (SMGroup).  

The only way to prevent the user from viewing the target account password in this case is to explicitly assign the user the Session Manager Role with “Manage Passwords” privilege, e.g., Password Manager role, and add the user to the CMGroup, such as “Base Users” that does not have View Account Password privilege.  This removes the user from the “Standard Users” CM group.  The user, therefore, no longer has View Account Password privilege.

Additional Information

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-4-1/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/configure-users/configure-user-groups.html#concept.dita_34b9dc1b98261f15d016d5d18bb325acd5c0a1d4_UsetheUITemplatetoCreateaGroup

Credential Manager Role Inheritance