Hello Mahendra, For any user other than the built-in super user, the Credential Management Groups setting in the user entry will determine what the user can do and cannot do on the Credential Management side. Every Credential Management group has an associated target group, and that target group defines which target servers, applications and accounts the group has access to. Be aware that a global administrator can change its own user entry, so in that sense the answer to your question is No. You would have to create custom roles on the access side (Users > Manage Roles) as well to prevent PAM administrators from controlling user roles.