I have a custom requirement to create Read/write without the ability to export passwords in Clearpass
This can be achieved as follows:
We can edit the Admin Privileges under "Administration » Users and Privileges » Admin Privileges".
Login via the new role try to export any authentication source or user credentials.
The xml file which is exported will not contain the password.
The attached file can be used to add the required Role.
It will create a new rol;e named " Network Administrator custom"