A client has recently gone live with PAM and is starting to think about delegating certain administrative and CM functions to colleagues, without having to "turn over the keys to the kingdom" - in a manner of speaking. They are thinking of setting up a support workflow and escalation built on very-fine-grained role-based PAM & CM privileges, for very specific use cases.
For example:
A Functional role capable of only Generate and Verify passwords, In the event that an account were to fall out of sync with the target and a force password change is in order.
or
A Functional role capable of only Force-checking-in checked-out accounts, for the occasional "had to leave in a hurry and forgot to check-it back in"
The client is still exploring exactly which fine-grained functions they want to delegate. But, in the mean time, they would like to reach out to the community to request for comment and/or real life examples.
Have any other clients out there felt the need to delegate fine-grained functions, if so what uses cases were you/they trying to cover?
What generic good practices can we recommend in this case?