Is there a way to prevent the PAM super account from being able to access highly secret credentials stored in PAM, or at least require an approval mechanism before getting access, and a notification after it has accessed the credential?  We need to store recovery keys for another system in PAM and don't want  any single account (including PAM super) to be able to access enough keys to get quorum (3 keys).

Release : 4.1

Currently PAM does not allow customization of the super user privileges. The option to configure Credential Manager User group assignment is greyed out. It is possible for another PAM admin user to disable the super user and prevent super logins that way, but this takes away one option to recover from a serious problem. It also is possible to define limited IPs or IP ranges from where the super user is allowed to logon. This is the IP Ranges setting under the Administration tab in the User editor. On the same page a list of email addresses can be configured that PAM will send a message to when the super user logs on. If you have syslog or Splunk integration configured, login and administrative activities by the super user can be tracked on the syslog/Splunk server. In a cluster environment the session logs in the PAM UI will show logins and activities for the local node only. The syslog server will cover activity on all nodes, as long as they are configured to send messages to the same syslog server.