User gets vault permissions automatically in RDM

Hello,

Those permissions are not granted to the user directly. They come from the permissions on the PAM vault itself, which apply to everyone who has access to it. In a PAM vault, the operations reset password, approve checkout request, force check-in, checkout, and read logs each have a setting that can either allow every user or be restricted to specific users (Custom). In your case these are currently allowing all users, which is why your new user has them. The view, edit, delete, and view password permissions come from the permission set granted on the vault to users who have access. So the user is inheriting the vault's permissions, not getting an explicit grant on their account.

To get to least privilege, restrict these and assign permissions per role:

1. Open your PAM vault and go to its Default permissions. For the PAM operations (reset password, approve checkout request, force check-in, checkout, read logs), set each to Custom instead of allowing every user, and grant each only to the users or roles that need it.
2. Set the vault or folder permissions explicitly under Properties, Security, Permissions, granting access per user or group rather than relying on broad defaults.
3. For the technician, grant only the minimum needed to view and use an entry, which is View vault, Connect (Execute), View password, and View sensitive (the Privileged operator permission set), plus the Checkout permission so they can request checkout. Do not grant edit, delete, approve checkout, force check-in, or grant checkout.
4. For the approver, grant only Approve checkout request.
5. For the admin, grant full control.

After this, reopen My permissions on the entry with the technician user and you should see only view, use, and request checkout. The permission model is documented here: https://docs.devolutions.net/pam/server/roles-permissions/

Best regards,