We are working to create users that only have privileges to approve password use for direct view or for access.
We created a Credential User Group and configured it to use the FirecallApprover role.
In the PAM user entry we set the role "Password Manager" role and on Credential Manager Groups we set the Credential User Group that was defined before.
However, when we try to add this user as approver to a password view policy, we get the following error:
PAM-CM-1056: Password view policy approvers are not able to access the target accounts that use this policy.
Release : 4.0
Component : PRIVILEGED ACCESS MANAGEMENT
The Credential Manager user group was missing the target group scope. It was defined as follows with a blank target group field:
PAM verifies that the approver is allowed to use its privileges against target accounts that use the password view policy being updated. Adding the target group scope to the user group definition resolves the problem. If your approves are meant to be able to approve any target account password requests, use target group "Targets" as follows:
Important Note: The built-in FirecallApprover role includes privilege "View Account Password". If you assign the above group to a user, the user will be able to view all target account passwords. If this is not desired, make a copy of the default FirecallApprover role on page Credentials > Manage Credential Groups > Credential Roles and remove privileges such as 'View Account Password" until the role fits your use case. If you want the user to manage password views for a subset of target accounts only, define a target group on page Credentials > Manage Targets > Target Groups and configure a new target group to include the desired set of accounts only. The password view policy would have to be limited to use within this target group.