The attached procedure was tested successfully with PAM 3.1.2 and PAM 3.2.
The attached document details one procedure to configure a role with the capabilities listed above. This includes creation of the access role, the credential manager (CM) role, and creation of the CM target and user group required for the delegated administrator.
For a discussion of built-in access roles with their privileges along with the privilege definitions, see page https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/configure-your-server/master-provisioning-settings/identify-desired-user-roles.
For information on credential manager roles and groups see https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/add-credential-manager-roles-and-groups.