After upgrading from version 3.4.0 to 4.0.1 or 4.0.2, users who previously saw in the "Access" and "Target Accounts" option only accounts in the scope of their Credential Manager role, are now seeing all devices and all the target accounts.
Although they are not allowed to access devices or view passwords outside of their scope, this is considered a risk for them to see these target accounts. It is very confusing to the users as well.
There was an implementation change in 4.0.1 in the way target accounts are retrieved for users after logging in, because the old way tripped over conflicting privileges from multiple roles. This change requires the List Target Accounts privilege to correctly filter the subset of accounts that the user should see based on the scope (target group) of the Credential Manager role associated with the Credential Manager group that the PAM user is assigned to. The role had other target account privileges assigned, but not the List Target Accounts privilege.
Release : 4.0.1, 4.0.2
Component : PRIVILEGED ACCESS MANAGEMENT
Adding the "List Target Accounts" privilege to the Credential Manager role resolved the issue. This privilege should be included in any role that allows users access to (a subset of) target accounts.