In an attempt to remove Global Settings from our Operations team, we created a copy of the Operational Administrator role and removed the Manage Global Settings permission.
Now, when a user with the modified Op Admin role tries to add a group to a user's Credential Manager (CM) user group assignment, the following error appears:
PAM-CMN-0235: User is not allowed to manage the Password Authority group <group name>.
When the Op Admin user tries to remove an existing CM user group assignment, it also fails with error
PAM-CMN-0273: User <user name> must be associated with Password Authority user group <group name>.
The Op Admin user is a Password Manager and member of the CM user group System Admins Group.
As soon as we add the default Operational Admin group, the errors go away. Why does the Manage Global Settings privilege impact assignment of Credential Manager user groups?
Release : 3.3
Component : PRIVILEGED ACCESS MANAGEMENT
The errors are not dependent on the Manage Global Settings privilege and will persist even when that privilege is added back into the custom role. The built-in Operational Administrator role has a special internal privilege, only shared with Global Administrator, that gives it a free pass when it comes to assigning Credential Management user groups. It's also the reason you don't need to select user and device groups when assigning this role to a user or user group. For any custom role, even one that has the same privileges as the Operational Administrator role, that special privilege is not included. An admin user with a custom role, or in general any role other than Global or Operational Administrator, can only assign those CM user groups to other users that the admin user itself is a member of.
Assign all CM user groups to the operational administrators with custom roles that you want them to be able to assign to other PAM users.
Example: If you want "Admin A" with a modified operational administrator role to be able to assign the "Simple Approvers" CM user group to another PAM user, add the "Simple Approvers" group to the list of CM groups for "Admin A".
Note that up to PAM 3.3 Credential Manager user group membership could be assigned to individual users only. From PAM 3.4 on this can be done on the user group level, see section "Credential Manager Role Inheritance" e.g. on page https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-4-1/release-information/new-features-and-enhancements-in-3-x-releases/new-features-and-enhancements-in-3-4.html.