We are implementing an LPA model to reduce audit/security risk.   We wish to avoid using "Global Administrator" Role for a REST service ID. We have implemented the "Operational Administrator" Role, along with a new CM Role with all access, including "add target application," and provide this CM Role with the CM Group to the service ID.

During testing with the PAM UI with the new access, we seem to have all access, but the "addTargetApplication" privilege. Same error during API Doc with the REST credentials.

But our role includes the "Add Target Application" privilege:

The error is somewhat misleading. The target application could not be added, because the user did not have privileges to access the target server. The problem was caused by a missing target group assignment in the CM user group definition:

This caused PAM to NOT apply the set of privileges to any target server.

Define a target group, and also a request group, for the CM user group. If you do not want to limit the role to a subset of target servers or request servers, use groups Targets and Requestors: