We have defined the following setup in PAM
* A role called TestSysAdmin2 in Users-->Roles which only has accessAll and credentialsManage. The reason for this is to be able to access the Access page when logging in and, of course, so that the user has got the necessary rights to manage passwords
* In Password management, a User Group called TestSysadm. This group contains the SysAdmin role
We have created a user called testuser. To this user we have assigned the TestSysAdmin2 role, and we have assigned it also to the TestSysadm Password Management group
This user, testuser, does NOT have any Policy assigned on ANY of the devices managed by the PAM appliance
The problem occurs whenever logging in to the PAM appliance as user testuser
The expected result would be that we should not see ANY device in the Access page, since the testuser user does not have any policy assigned to any of the devices in the appliance
However, what happens is that user testuser sees in its access page ALL the devices defined in the PAM appliance which have applications defined, and for each endpoint and application he sees all the users defined to access it, but not the passwords
Release: PAMDKT99500-2.7-Privileged Access Manager-NSX API PROXY
This is working as designed. The user can see any password they desire on the credential management side (due to having the Sysadmin role) and so as a convenience we also show these passwords on the Access page. This is part of the intelligent password matching feature. testuser can see any password they want from the access side as well - just click on any of the users in the view passwords items that are shown.
In order to not see ANY device in the Access page, since the user does not have any policy assigned to any of the devices in the appliance, one of options to accomplish it is by creating a Target Group (Dynamic) then filter upon the attributes.