Assuming a windows domain service environment with domain accounts, the main interface (Access tab) of PAM seems to mislead the user that the dual authorization approval workflow is required for each server on the list, since the user needs to click on RDP for a specific server.
However, when having the request approved for one specific server, if the account grants access to other servers, the user won't need to go through the dual authorization workflow anymore.
Is there any configuration of policies, target accounts, devices and devices groups that can accomplish this?
Windows domain account: XAccount has access to 2 servers: ServerA and ServerB.
When I click on RDP for ServerA, after the approval is done, I also have access to ServerB. I would like to have separate approval workflows without needing two separate accounts: XAccountA and XAccountB.
Hello Lucas, This is how the current workflow works. You are granted access to a target account password, not to a specific device. There is an open idea already to make approvals more granular, see https://communities.ca.com/ideas/235734985-password-view-policy-on-device-group-more-granular-control . Please go to idea, vote it up and optionally add a comment.
As Ralf said, this is how PAM is designed. It requires approval for each user that requests a password. This reduces the likelihood that someone will gain access to a password in error.