Let's consider the following scenario

* Device group DGROUP A, containing several devices, DEVICE1, DEVICE2...

* DGROUPA is using one or several credential sources, CSOURCE1, CSOURCE1 having PVP enable which requires dual authorization to use a credential

* User group UGROUPA. containing several users, USER1, USER2....

* DGROUPA with CSOURCE1, CSOURCE2 is assigned by policy to UGROUPA

Let's take that USER1 is initiating autologin to a device in DGROUPA, say DEVICE1, using CSOURCE1 as the credential source.

The way this is configured, user will be prompted to choose an account from CSOURCE1 for logging in. Since CSOURCE1 has PVP enabled, approvers will be prompted to authorize access to the device. The authorization will be valid for the period of time considered in the PVP definition

Now let's take another user from UGROUPA, USER2, tries to use another one of the devices in DGROUPA, say DEVICE2 using the same account in CSOURCE1 as before, and that the authorization given earlier has not expired.

The result will be in this case that USER2 will be able to access DEVICE2 with the credentials provided by CSOURCE1 without being prompted for approval

Is this behaviour normal ?

CA PAM all versions up to 4.1.6

This behaviour is working as designed. The approval is tied to each specific account in a credential source, and once the approval is granted, it will be valid for all devices in the group until it expires. Since the Device group is associated by Policy to a User Group, all users in it will share the authoritation, so all will be able to use the approved credentials to log in to any of the devices in the device group