Delegate Password Management Tasks to Groups

Credential Manager uses groups to separate password management duties and improve security. Credential Manager groups allow users, or groups of users to view and change passwords for only a specific set of resources. Credential Manager users are also grouped, which simplifies the design and implementation of the security policies that are used to manage them.
capam32
Credential Manager uses groups to separate password management duties and improve security. Credential Manager groups allow users, or groups of users to view and change passwords for only a specific set of resources. Credential Manager users are also grouped, which simplifies the design and implementation of the security policies that are used to manage them.
Credential Manager groups and roles are separate from access user groups and roles. See Credential Manager Group Terminology.
When defining a user that is to have Credential Manager privileges – administering or viewing passwords – the user must be assigned a Credential Manager Group. Assign a Credential Manager group by adding or editing a user from the
Users
,
Manage Users
screen on the
Credential Manager Groups
tab.
Important!
With release 3.4.3, the Credential Manager Role only applies to the objects scoped by the Credential Manager Target Group in the same Credential Manager Group. Previously, all Credential Manager Roles applied to all Credential Manager Target Groups in all Credential Manager Credential Groups the user was a member of.
Privileged Access Manager
is preconfigured with a Credential Manager Group named "System Admin Group". This might appropriately be used to provision a Global Administrator using the PM Groups setting.
Credential Manager uses two types of groups:
  • Static groups
    Static groups enable the direct assignment of specific resources to a particular user group. Static groups enforce the resource assignment and provide control over group membership. You can configure static target groups and A2A requestor groups.
  • Dynamic groups
    Dynamic groups use rules and filters to specify patterns for resource assignment. All entities that match the rules are assigned membership in the specified dynamic group. Any new entity that is added and that matches the pattern is automatically placed in all applicable groups, minimizing administrative burden. You can configure dynamic target groups and A2A requestor groups.
The process for defining target groups is:
Credential Manager Group Configuration
Credential Manager Group Configuration
If there are no consistent standards for group attributes, names or addresses, use the Descriptor fields to create standards to support dynamic group assignment.
Authorization groupings do not apply to reports, metrics, or application-to-application credential requests.
See the following other articles in this section for more details: