Symantec Privileged Access Management

  • 1.  Restricting Global Admin to view target account's password

    Posted Jan 17, 2019 08:42 AM

    Hi,

     

    CA PAM Administrator (Global Administrator) can view on boarded target account's password by clicking on eye icon in GUI. Is there any way to restrict this for Global Admins and allow only to respective users/groups? 

     

    Regards

    Mahendra



  • 2.  Re: Restricting Global Admin to view target account's password

    Broadcom Employee
    Posted Jan 17, 2019 06:36 PM

    Hello Mahendra, For any user other than the built-in super user, the Credential Management Groups setting in the user entry will determine what the user can do and cannot do on the Credential Management side. Every Credential Management group has an associated target group, and that target group defines which target servers, applications and accounts the group has access to. Be aware that a global administrator can change its own user entry, so in that sense the answer to your question is No. You would have to create custom roles on the access side (Users > Manage Roles) as well to prevent PAM administrators from controlling user roles.