What is the difference between the role PAM Core 137 and 139?

137 PAM.PrivilegedAccounts.Custody.List: List all credentials under user’s custody

139 PAM.PrivilegedAccounts.Credentials.List: List all credentials

Role 139 corresponds to the permission that enables listing all registered credentials within the system for the specific user. On the other hand, role 137 allows listing credentials only in cases where the user has custody of the credential.

The custody of the credential indicates that the user has control and responsibility for accessing the information protected by the credential. This approach contributes to a more granular level of security, ensuring that only authorized and trustworthy users gain access to protected resources through their respective credentials.