The following set of seven privileges is the minimum required for a PAM user to edit a target account from the Credentials > Manage Targets > Accounts page, enter a new password and save it:

• Get Password View Policy
• Get Target Account
• Get Target Application
• Get Target Server
• List Target Accounts
• Update Target Account
• View Account Password

The user needs to be assigned the Password Manager role with a CM group that is assigned the target group containing the list of target accounts the user is meant to be able to update, and a role that includes the above privileges.

Depending on your use case you may need to include the following additional privileges:

• List Password History - This is required if the password composition policy assigned to the target application the account belongs to includes a "Minimum Iterations Before Reuse" setting other than 0, i.e. the new password is not allowed to match any of the most recent X passwords. To check this, the user must have the privilege to list the password history.
• Get Password History - This is required in combination with the "List Password History" privilege, if the user needs to be able to view the historic passwords of the account in the UI.
• Update Target Account Password - This is required for the user to be able to use the Generate Credential icon (key icon) to have PAM generate a new random password, instead of the user entering a new password manually.

With the additional privileges the Credential Manager role would look as follows: