Ultimately when a Cluster is in "Operational Safe" - if all your primaries are down in your Primary Cluster and it you have secondary's then during this time period you will get the following message in session logs:
PAM-CMN-1080: Unauthorized attempt to add a message to the audit log: Code: PAM-CMN-5164 Parameters:
Message: PAM-CMN-5164: Could not get the IP of the king of the Group Replication
During the time period it is down, we also send the following messages to Splunk:
PAM-CM-0615: Primary site is unavailable. Any workflow tasks associated with the account's password view policy (dual authorization, change password, or check-in/checkout) have not been performed..
So the user will be able to auto-connect or view the password without the PVP taking place.
However in Splunk - it will forward the following messages as well:
PAM-CMN-1420: Auto-login initiated with target account Name : root and target account Id : 35001
with the servername:
hostname=dedke01-pam40a (Secondary servername) ,log_id=5400002,trans_type=connection,created=2022-06-08 17:41:20,ip_source=<ip address>,u_name=super,dom_name=<ip address>,port=,task_name=SSH,detail=PAM-CMN-1420: Auto-login initiated with target account Name : root and target account Id : 35001 .,local_ip_source=<ip address> ,public_ip_source=,s_name=,hostID=24001,extlog_sent=0,sessionID=0,h_id=<target device name>,target_account=root,pvr_id=4001,machine_id=E05C6EAE95BDD806A96DC1C0EACEE8C9108414A9