We need direction with how to automate via API/CLI how to get a list the Credential Manager Groups assigned to user accounts. This information is contained in the User Export, but this cannot be automated for audit / recertification purposes.
Release : Any supported release as of August 2022
Component : PRIVILEGED ACCESS MANAGEMENT
The following Rest API resources retrieve Credential Manager (CM) user group (Credentials > Manage Credential Groups > Credential Groups) membership for user groups and users:
https://<pam address>/api.php/v1/userGroups.json/<group ID>?fields=groupName%2CpaUserGroups
and
https://<pam address>/api.php/v1/users.json/<user ID>?fields=userName%2CuserGroups%2CpaUserGroups
Fields paUserGroups yield the list of CM user groups assigned to access user groups (Users > Manage User Groups) and users (Users > Manage Users).
Field userGroups for the users resource yields access user group membership, which can be used to lookup inherited group membership.
Use the "GET /api.php/v1/userGroups.json" and "GET /api.php/v1/users.json" calls to get the list of access user group IDs and user IDs, and then run through them.