During daily PAM administration it may be useful to define a credential manager role such that it will have the ability to use the passwords in autologin to a remote endpoint but not view them. That is, viewing the password will cause an "Unauthorized" error while accessing the device from the Access Page will be fine.

This article discusses the feasibility of such a scenario

CA PAM up to the last 4.1.X version

Both the access to the Target Account Password to view it, and the access to the same to use it as a target account password in autologin fundamentally use the same function call, so preventing the user from accessing a target account password will result both in inability to view it and also in inability to login.

For some functions in workflow, for instance for password view policies, there is separation of both scenarios, but not for the simply viewing the password and using it for autologin. There are several permissions pertaining to target account management which may be combined together to create a similar effect, however since there is no complete separation of both functions, this will not work