Configuring access
To use this program, your OTP API user needs to have permissions to view the password:
Create a new product administrator (Manage the system > Security > Access to product features) with the "OTP IDAPI caller" privilege.
Create a privileged access user group (Manage the system > Security > Privileged access to systems).
On the Membership Criteria tab, create a user class, or use an existing one, that contains the administrator you created in Step 1.
Give the user group the permission "Pre-approve check-out of managed accounts" on the policy that the password is managed under.
See Using a plugin to define access to passwords for details on managing large numbers of OTP API callers with limited permissions.