Whenever a device is added to CA PAM, there is the possibility of checking whether it will be enabled for Password Management or not

Whenever this is done, an entry is created in the password management database so that each defined device with password management enabled (no matter how many target applications or target accounts are defined for it) will use one license.

There are however some devices which come predefined whenever a PAM appliance is installed and which correspond to objects required for managing connections to third party, integrations, etc, which, even though having Password Management enabled, will NOT use a license.

As of CA PAM 3.3.X and 3.4.X these are

nim.pam.ca.com

tap.ca.com

xceedium.aws.amazon.com

xceedium.nsx.vmware.com

ca.portal.azure.com

apikey.xceedium.com