Hi Alex, There is no additional control on the PAM side. You should be able to control access to the VM on the VM server side to minimize the risk of the wrong person making changes to the VM. Someone with access to the console would also be able e.g. to stop the VM, which I would regard a more severe concern. Going into the configuration and changing network parameters requires deliberate action and would not be done by accident or mistake. If you would like to see an additional layer of protection for the PAM console anyway, please raise an idea in this community.