You see this above error many times in the PAM session logs. The users are PVP approvers with a custom CM group/roles membership, but also have the Standard User role inherited from a user group. You are not aware of the users having a problem with the PAM UI. What causes those messages and can they be avoided?

Applies to all PAM releases as of November 2023.

The role configuration is such that these users are subject to feature Dynamic Addition of Devices and Target Accounts to the Access Page Based on Target Group Membership. However, that feature is not desirable. The access page should only show devices which had explicit access policies configured for the users. To accomplish this a custom approver role was created starting with the FirecallApprover role and removing unnecessary privileges including the "List Target Accounts" privilege. It provides the desired list of devices on the access page, but every time the user goes to the access page PAM runs into this error trying to get the list of target accounts the user has access to in order to determine what items should be added dynamically to the access page.

There is no configuration that could be updated to avoid these messages w/o adding the "List Target Accounts" privilege. From a PAM perspective they are valid messages. PAM tries to populate the access page as designed, but can't do it due to a missing privilege. There is no option to turn the dynamic addition of devices feature off. The privilege check and logging of errors is not specific to this activity and dropping the messages could hide other problems that you would want to be alerted on.