Configure Privileged Access Manager settings

As a Privileged Access Manager settings administrator, you can configure some additional settings for the approval workflow and notification preferences.

The settings that you configure at the organization or folder level are automatically applied to their child resources, unless you explicitly override the settings at the child resource level.

You can enable service accounts as eligible approvers. This setting lets administrators add service accounts and identities in workload identity pools as approvers when creating or modifying an entitlement.

You can customize resource-wide notification preferences for various Privileged Access Manager events by selectively disabling notifications for specific events and specific personas, or disabling all notifications.

Before you begin

To get the permissions that you need to configure Privileged Access Manager settings, ask your administrator to grant you the following IAM roles:

Configure settings for your project, folder, or organization: PAM Settings Admin (roles/privilegedaccessmanager.settingsAdmin) on your organization
View settings for your project, folder, or organization: PAM Settings Viewer (roles/privilegedaccessmanager.settingsViewer) on your project, folder, or organization

These predefined roles contain the permissions required to configure Privileged Access Manager settings. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to configure Privileged Access Manager settings:

Configure settings: privilegedaccessmanager.settings.update
View settings:
- privilegedaccessmanager.settings.get
- privilegedaccessmanager.settings.fetchEffective

Enable service accounts as approvers

Console

Go to the Privileged Access Manager page.

Go to Privileged Access Manager
Select the organization, folder, or project.
Click the Settings tab. In the Settings source section, Inherit from parent is selected by default.
To override settings inherited from the parent resource on a child resource, in the Service account as approver section, select Override inheritance.
To enable the service account as approver setting, turn on the Enable Service Account As Approver toggle and click Save.

Note: If you disable this setting, grants that require approvals from service accounts won't get approved. If your entitlements have only service accounts as approvers, then those entitlements won't be effective.

REST

The Privileged Access Manager API's updateSettings method configures additional Privileged Access Manager.

Before using any of the request data, make the following replacements:

SCOPE: The organization, folder, or project that you want to update the settings for, in the format of organizations/ORGANIZATION_ID, folders/FOLDER_ID, or projects/PROJECT_ID. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
UPDATED_FIELDS: A comma-separated list of fields that need to be updated in the settings. For example, emailNotificationSettings,serviceAccountApproverSettings.
To update all fields that can be modified, set the update mask to *.
SA_AS_APPROVER: A boolean value in the serviceAccountApproverSettings field that indicates whether service accounts are allowed to approve grants. The default value is false.
- If you specify the serviceAccountApproverSettings field with a value, then that setting is applied to your resource.
- If you specify the serviceAccountApproverSettings field but leave it empty, then the default settings are applied to your resource.
- If you don't specify the serviceAccountApproverSettings field at all, then your resource inherits the settings from the parent resource.
If you disable this setting, the grants that require approvals from service accounts won't be approved. If your entitlements have only service accounts as approvers, those entitlements aren't effective.
request.json: A file containing the modified settings. To create this file, get the existing settings, save the response in file named request.json, and then modify it to use as the body of your update request. You must include the ETAG in the body to update the latest version of the settings.

HTTP method and URL:

PATCH https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings?updateMask=UPDATED_FIELDS

Request JSON body:

{
  "emailNotificationSettings": {
    "customNotificationBehavior": {
      "adminNotifications": {
        "grantActivated": "NOTIFICATION_MODE_1",
        "grantActivationFailed": "DISABLED",
        "grantEnded": "ENABLED",
        "grantExternallyModified": "ENABLED"
      },
      "approverNotifications": {
        "pendingApproval": "NOTIFICATION_MODE_2"
      },
      "requesterNotifications": {
        "entitlementAssigned": "ENABLED",
        "grantActivated": "ENABLED",
        "grantExpired": "NOTIFICATION_MODE_3",
        "grantRevoked": "ENABLED"
      }
    }
  },
  "etag": "\"ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md\"",
  "name": "SCOPE/locations/global/settings",
  "serviceAccountApproverSettings": {
    "enabled": SA_AS_APPROVER
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings?updateMask=UPDATED_FIELDS"

PowerShell (Windows)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings?updateMask=UPDATED_FIELDS" | Select-Object -Expand Content

You should receive a JSON response similar to the following:


{
  "name": "SCOPE/locations/global/operations/OPERATION_ID",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.privilegedaccessmanager.v1beta.OperationMetadata",
    "createTime": "2024-03-25T01:55:02.544562950Z",
    "target": "SCOPE/locations/global/settings",
    "verb": "update",
    "requestedCancellation": false,
    "apiVersion": "v1beta"
  },
  "done": false
}

To check on the progress of an update operation, you can send a GET request to the following endpoint:

https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/operations/OPERATION_ID

Send a GET request to the following endpoint to list all operations:

https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/operations

Customize notification preferences

Console

Go to the Privileged Access Manager page.

Go to Privileged Access Manager
Select the organization, folder, or project.
Click the Settings tab.

In the Notifications section, Inherit from parent is selected by default.

The following table shows the default notification preferences:

Event	Admin	Requester	Approver
Entitlement assigned	-	✓	-
Grant requires approval	-	-	✓
Grants are activated	✓	✓	-
Grants are denied	-	✓	-
Grants are expired	-	✓	-
Grants have ended	✓	✓	-
Grants are revoked	-	✓	-
Grants are externally modified	✓	✓	-
Grants activation failed	✓	✓	-

To override settings inheritance from the parent, turn on the Send notifications for the following events toggle.
To disable notifications for the required PAM event and persona, clear the corresponding checkboxes, and click Save.
To disable all the notifications, clear Send notifications for the following events, and click Save.

REST

The Privileged Access Manager API's updateSettings method configures additional Privileged Access Manager.

Before using any of the request data, make the following replacements:

SCOPE: The organization, folder, or project that you want to update the settings for, in the format of organizations/ORGANIZATION_ID, folders/FOLDER_ID, or projects/PROJECT_ID. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
UPDATED_FIELDS: A comma-separated list of fields that need to be updated in the settings. For example, emailNotificationSettings,serviceAccountApproverSettings.
To update all fields that can be modified, set the update mask to *.
NOTIFICATION_MODE: In the emailNotificationSettings field, use ENABLED to send notification emails for the event or DISABLED to prevent them.
- If you specify the emailNotificationSettings field with a value, then that setting is applied to your resource.
- If you specify the emailNotificationSettings field but leave it empty, then the default settings are applied to your resource.
- If you don't specify the emailNotificationSettings field at all, then your resource inherits the settings from the parent resource.
request.json: A file containing the modified settings. To create this file, get the existing settings, save the response in file named request.json, and then modify it to use as the body of your update request. You must include the ETAG in the body to update the latest version of the settings.

HTTP method and URL:

PATCH https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings?updateMask=UPDATED_FIELDS

Request JSON body:

{
  "emailNotificationSettings": {
    "customNotificationBehavior": {
      "adminNotifications": {
        "grantActivated": "NOTIFICATION_MODE_1",
        "grantActivationFailed": "DISABLED",
        "grantEnded": "ENABLED",
        "grantExternallyModified": "ENABLED"
      },
      "approverNotifications": {
        "pendingApproval": "NOTIFICATION_MODE_2"
      },
      "requesterNotifications": {
        "entitlementAssigned": "ENABLED",
        "grantActivated": "ENABLED",
        "grantExpired": "NOTIFICATION_MODE_3",
        "grantRevoked": "ENABLED"
      }
    }
  },
  "etag": "\"ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md\"",
  "name": "SCOPE/locations/global/settings",
  "serviceAccountApproverSettings": {
    "enabled": SA_AS_APPROVER
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file named request.json, and execute the following command:

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings?updateMask=UPDATED_FIELDS"

PowerShell (Windows)

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings?updateMask=UPDATED_FIELDS" | Select-Object -Expand Content

You should receive a JSON response similar to the following:


{
  "name": "SCOPE/locations/global/operations/OPERATION_ID",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.privilegedaccessmanager.v1beta.OperationMetadata",
    "createTime": "2024-03-25T01:55:02.544562950Z",
    "target": "SCOPE/locations/global/settings",
    "verb": "update",
    "requestedCancellation": false,
    "apiVersion": "v1beta"
  },
  "done": false
}

To check on the progress of an update operation, you can send a GET request to the following endpoint:

https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/operations/OPERATION_ID

Send a GET request to the following endpoint to list all operations:

https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/operations

What's next

View Privileged Access Manager settings

Configure Privileged Access Manager settings Stay organized with collections Save and categorize content based on your preferences.

Before you begin

Required permissions

Enable service accounts as approvers

Console

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Customize notification preferences

Console

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

What's next

Configure Privileged Access Manager settings