We need direction with how to automate via API/CLI how to get a list the Credential Manager Groups assigned to user accounts.    This information is contained in the User Export, but this cannot be automated for audit / recertification purposes. 

Release : Any supported release as of August 2022

Component : PRIVILEGED ACCESS MANAGEMENT

The following Rest API resources retrieve Credential Manager (CM) user group (Credentials > Manage Credential Groups > Credential Groups) membership for user groups and users:

https://<pam address>/api.php/v1/userGroups.json/<group ID>?fields=groupName%2CpaUserGroups

and

https://<pam address>/api.php/v1/users.json/<user ID>?fields=userName%2CuserGroups%2CpaUserGroups

Fields paUserGroups yield the list of CM user groups assigned to access user groups (Users > Manage User Groups) and users (Users > Manage Users).

Field userGroups for the users resource yields access user group membership, which can be used to lookup inherited group membership.

Use the "GET /api.php/v1/userGroups.json" and "GET /api.php/v1/users.json" calls to get the list of access user group IDs and user IDs, and then run through them.