A Credential Manager report has been scheduled to run periodically, but needs to be emailed to a distribution list rather than a single user. A local user could be created and use the distribution list email address with the standard user role, but they do not appear in the list of available recipients. If they are a global administrator, the user appears as an available recipient, but this gives the user too many privileges. How can the user be configured to be emailed the reports with the minimum amount of privileges?
Privileged Access Manager, all versions
Per the documentation, "recipients can be selected from all Credential Manager users with a valid email address." This means that any user which is a member of a Credential Manager group will be listed under the available recipients. There are three out-of-the-box user roles which have the Manage Credentials privilege needed to join a CM group: Global Administrator, Operational Administrator, and Password Manager.
Of the three user roles that contain the Manage Credentials privilege, the Password Manager contains the fewest privileges. For the CM groups, Base Users has the fewest privileges as well.
To have scheduled reports emailed to a distribution list, first create or update a local user with the distribution list as the email address. Set the role to Password Manager and Credential Manager group to Base Users.
Once the user has been created or updated, update the scheduled report and add them to the recipients list.