Dynamic Addition of Devices and Target Accounts to the Access Page Based on Credential Manager Target Group Membership

Describes how the product dynamically adds devices to the Access page if those devices are members a of a Credential Manager target group that is referenced by a Credential Manager user group to which the logged in user belongs.
capam32
Privileged Access Manager
dynamically adds devices to the
Access
page if those devices are members a of a Credential Manager target group that is referenced by a Credential Manager user group to which the logged in user belongs.
If there is no policy for one of the devices in the group,
Symantec PAM
just allows the user to view the passwords for any credentials of the device from the
Access
page. If there is a policy for the device (either directly or via a device group) that has an applet or service that is attached then any relevant target accounts are added to the list of possible accounts for connection.
Devices are added to the
A
ccess
page according to the following rules:
  • If a user is not a Global (Super) Administrator or Operational Administrator,
    and
  • The user belongs to a Credential Manager user group other than standard users that has the right to view passwords for some devices,
    then:
  • The following logic is applied to each device and target account:
    1. If there is an applet or service to which the target account can reasonably be assigned for autoconnect, that target account is assigned.
    2. If not, the target account is available for viewing.
The mapping between target applications (each target account belongs to exactly one application) and applets/services is as follows:
  • If a device has an SSH or Telnet applet, or an SSH or Telnet proxy service, any target account whose target application is either Generic or Unix will be assigned to it.
  • If a device has an RDP applet, and RDP application, or an RDP Proxy service any target account whose target application is either Generic, Windows Proxy, or Active Directory will be assigned to it.
  • If the device has a TN5250/TN5250 SSL applet a target application of either generic or AS400 will be assigned to it.
  • Otherwise, if either the target account’s target application is not one of the aforementioned types or if the device does not have the requisite applet or servlet assigned, the target account is available for viewing.