PAM User Has Access to Passwords Not Defined In Access Policy
Article ID: 402856
Updated On:
Products
Issue/Introduction
A PAM user has a policy configured which grants password view access to a subset of target accounts. But when they log into PAM, they see more accounts listed than what is configured in the policy.
In this case, the user is configured to access three account's passwords.
When the user logs into PAM, they see six accounts listed on the Access page.
Cause
The user was configured in such a way that triggered the logic for the Dynamic Addition of Devices and Target Accounts to the Access Page Based on Target Group Membership feature. In this case, the user was configured with the Standard User and Password Manager roles and was in a Credential Manager group that used the built-in FirecallApprover CM role.
Resolution
At the moment, there is no option to disable the feature, it is hardcoded into the product. As a workaround, the Credential Manager role can be updated to remove the View Password privilege.
In this case, the built-in FirecallApprover CM role was copied, the View Password role was removed, and the CM group was updated to use the modified Firecall role. Afterwards, the user only saw three accounts on the Access page.
Feedback
