But when you use the Show button to check whether the group includes all accounts that do not include the word "protected" in their Descriptor 1 field, you find that many target accounts are missing. When you edit any of the missing accounts, you find that their Descriptor 1 field is empty. If you close the account editor by clicking the OK button, rather than the Cancel button, and then check the target group again, the account you had edited now does show up.

When a target account is created via an API call, such as with Rest API resource "POST /api.php/v1/devices.json/{deviceId}/targetApplications/{applicationId}/targetAccounts", only attributes specified in the call are saved in the database. PAM does not create placeholders. If no descriptors are provided, those attributes will not exist. The filter conditions for an optional attribute only act on accounts that have the attribute defined and will not pull in any accounts for which the attribute doesn't exist. When you edit an account manually and click OK, PAM saves all the fields presented in the editor, even when no change is made, including empty fields. From that point on the account will have database entries for the descriptor fields, whether or not they have contents, and can satisfy a "Not Contains" filter condition on a descriptor.

Avoid using "Not Contains" filters for optional attributes. Use it only with required parameters/attributes, or on attributes you set explicitly for every account you create. For protected accounts it may be best to define dedicated target applications and use a distinctive substring in the application name. A "Not Contains" filter always is valid for target application names, because every application has to have a name.

You can create multiple target applications of the same type for the same device. And you can move existing accounts to a new application with a different name, but otherwise the same properties as the old application, by editing the account and changing the Application Name field.