Idea is to provide the option to use PAM to control access to devices that use a directory credential without the need for defining a device or service. Example is a *nix endpoint where the credential is stored in AD. Access to the credential would be controlled but the user would be prompted for the device name if they are authorized for the credential. This would save a lot of effort for defining devices if the only access is via a directory credential. This could also be applied to Windows devices. This capability should also be available when a service such as putty is being launched.
This would be functionally similar to the "Advanced Login" capability of Shared Account Management.