You see this above error many times in the PAM session logs. The users are PVP approvers with a custom CM group/roles membership, but also have the Standard User role inherited from a user group. You are not aware of the users having a problem with the PAM UI. What causes those messages and can they be avoided?

The role configuration is such that these users are subject to feature Dynamically Add Devices and Target Accounts to the Access Page Based on Target Group Membership. However, that feature is not desirable. The access page should only show devices which had explicit access policies configured for the users. To accomplish this a custom approver role was created starting with the FirecallApprover role and removing unnecessary privileges including the "List Target Accounts" privilege. It provides the desired list of devices on the access page, but every time the user goes to the access page PAM runs into this error trying to get the list of target accounts the user has access to in order to determine what items should be added dynamically to the access page.

In the PAM 4.2 release there is no configuration that could be updated to avoid these messages w/o adding the "List Target Accounts" privilege. From a PAM perspective they are valid messages. PAM tries to populate the access page as designed, but can't do it due to a missing privilege. With PAM 4.2.X there is no option to turn the dynamic addition of devices feature off. The privilege check and logging of errors is not specific to this activity and dropping the messages could hide other problems that you would want to be alerted on.

Since the 4.3 release the dynamic addition of devices and target accounts for users with specific Credential Management user group assignments can be turned off, see section Dynamically Add Devices and Target Accounts to the Access Panel Based on Target Group Membership on page New Features and Enhancements in 4.3.