What requirement must members of the PSMShadowUsers group meet?

Members of the PSMShadowUsers group must have the "logon locally" user right assignment to fulfill their role effectively. This requirement allows these users to log on to the designated machines where the Privileged Session Manager (PSM) operates, enabling them to monitor and manage privileged sessions. The ability to log on locally is crucial for the functionality that requires direct access to systems in order to observe, record, or interact with privileged sessions that are being conducted by other users.

This is essential for security and auditing purposes, as it ensures that those who have the ability to shadow or oversee sessions can do so directly on the systems involved. Being part of this group without the "logon locally" right would restrict a user's ability to perform essential oversight functions, defeating the purpose of the group entirely.

The other requirements, while possibly relevant in different contexts, do not directly pertain to the essential functionality of the PSMShadowUsers. Administrative privileges, for instance, might be an asset but are not a requirement solely for shadowing sessions. Similarly, being listed as end users or having access to the PSM Vault does not address the fundamental need for logging on locally to effectively carry out the group's responsibilities.