Hello Yan, I don't think this is possible at present. The internal privileges required to process approvals pull these menu items in. The best you could do is get rid of the UI errors. One, admittedly not very attractive, way is to define an additional role having "Search Target Account" and "Search Target Application" privileges, define a dynamic Target Group with a filter that doesn't match any account (such as "Account Name Equals thisisnotanaccountname"), define a new CM user group scoped to the new role and the new target group, and add this CM user group to your approvers. This way they will get empty Accounts and Applications pages, but w/o error. Note that the separation of privileges for different target groups (for your original role you don't define a target group, which implies that it applies to all targets) you have to be on the latest release 4.0, which your screenshot tells me is what you are running already. This relates to new feature
Removal of Ambiguity when Multiple Roles are Assigned across Multiple Target Groups in PAM 4.0.
Original Message:
Sent: 09-23-2021 09:41 AM
From: Yan Coelho
Subject: Password Approval Permissions
Hello,
I configured a "Custom Role" for Approvers Users and work perfectly but when we set Password Manager Role to a user automatically he will able to see the Credentials Tab --> Manage Target Accounts/Applications even with he hasn't roles to perform any action under this tab .
Has any possible configuration that will make a approver user only see under Credentials only Workflow --> My Approvals ?
My Configuration:
Role to Manage Request
Credential Manager Group:
User Roles And Groups
Credentials tab: