Privileged Access Manager overview

You can use Privileged Access Manager (PAM) to control just-in-time temporary privilege elevation for select principals, and to view audit logs afterwards to find out who had access to what and when.

To allow temporary elevation, you create an entitlement in Privileged Access Manager, and add the following attributes to it:

  • A set of principals who are allowed to request a grant against the entitlement.

  • Whether a justification is required for that grant.

  • A set of roles to temporarily grant. IAM conditions can be set on the roles.

  • The maximum duration a grant can last.

  • Optional: Whether requests need approval from a select set of principals, and whether those principals need to justify their approval.

  • Optional: Additional stakeholders to be notified about important events, such as grants and pending approvals.

A principal that's been added as a requester to an entitlement can request a grant against that entitlement. If successful, they are granted the roles listed in the entitlement until the end of the grant duration, after which the roles are revoked by Privileged Access Manager.

Use cases

To effectively use Privileged Access Manager, start by identifying specific use cases and scenarios where it can address your organization's needs. Tailor your Privileged Access Manager entitlements based on these use cases and necessary requirements and controls. This involves mapping out the users, roles, resources, and durations involved, along with any necessary justifications and approvals.

While Privileged Access Manager can be used as a general best practice to grant temporary rather than permanent privileges, here are some scenarios where it may be commonly used:

  • Grant emergency access: Allow select emergency responders to perform critical tasks without having to wait for approval. You can mandate justifications for additional context on why the emergency access is needed.

  • Control access to sensitive resources: Tightly control access to sensitive resources, requiring approvals and business justifications. Privileged Access Manager can also be used to audit how this access was used—for example, when granted roles were active for a user, which resources were accessible during that time, the justification for access, and who approved it.

    For example, you can use Privileged Access Manager to do the following:

    • Give developers temporary access to production environments for troubleshooting or deployments.

    • Give support engineers access to sensitive customer data for specific tasks.

    • Give database administrators elevated privileges for maintenance or configuration changes.

  • Help secure service accounts: Instead of permanently granting roles to service accounts, allow service accounts to self-elevate and assume roles only when needed for automated tasks.

  • Manage access for contractors and extended workforce: Grant contractors or members of the extended workforce temporary, time-bound access to resources, with approvals and justifications required.

Capabilities and limitations

The following sections describe the different capabilities and limitations of Privileged Access Manager.

Supported resources

Privileged Access Manager supports creating entitlements and requesting grants for projects, folders, and organizations. If you want to limit access to a subset of resources within a project, folder, or organization, you can add IAM Conditions to the entitlement. Privileged Access Manager supports all condition attributes except resource tags.

Supported roles

Privileged Access Manager supports predefined roles and custom roles. Basic roles are not supported.

Supported identities

Privileged Access Manager supports all types of identities, including Cloud Identity, Workforce Identity Federation, and Workload Identity Federation.

Audit logging

Privileged Access Manager events, such as creation of entitlements, requisition or review of grants, are logged to Cloud Audit Logs. For a complete list of events that Privileged Access Manager generates logs for, see the Privileged Access Manager audit logging documentation. To learn how to view these logs, see Audit entitlement and grant events in Privileged Access Manager.

Grant retention

Grants are automatically deleted from Privileged Access Manager 30 days after they are denied, revoked, or have expired or ended. Logs for grants are kept in Cloud Audit Logs for the log retention duration of the _Required bucket. To learn how to view these logs, see Audit entitlement and grant events in Privileged Access Manager.

Privileged Access Manager and IAM policy modifications

Privileged Access Manager manages temporary access by adding and removing role bindings from resources' IAM policies. If these role bindings are modified by something other than Privileged Access Manager, then Privileged Access Manager might not work as expected.

To avoid this issue, we recommend doing the following:

  • Don't manually modify role bindings that are managed by Privileged Access Manager.
  • If you use Terraform to manage your IAM policies, ensure that you're using non-authoritative resources instead of authoritative resources. This ensures that Terraform won't override Privileged Access Manager role bindings, even if they aren't in the declarative IAM policy configuration.

Notifications

Privileged Access Manager can notify you about various events happening in Privileged Access Manager as described in the following sections.

Email notifications

Privileged Access Manager sends emails notifications to the relevant stakeholders for an entitlement and grant changes. The sets of recipients are as follows:

  • Eligible requesters of an entitlement:

    • Email addresses of Cloud Identity users and groups specified as requesters in the entitlement
    • Manually configured email addresses in the entitlement: When using Google Cloud console, these email addresses are listed in the Notify about an eligible entitlement field in the Additional notifications section of the entitlement. When using the gcloud CLI or the REST API, these email addresses are listed in the requesterEmailRecipients field.
  • Grant approvers for an entitlement:

    • Email addresses of Cloud Identity users and groups specified as approvers in the entitlement.
    • Manually configured email addresses in the entitlement: When using the Google Cloud console, these email addresses are listed in the Notify when a grant is pending approval field in the Additional notifications section of the entitlement. When using the gcloud CLI or the REST API, these email addresses are listed in the approverEmailRecipients field of the approval workflow steps.
  • Administrator of the entitlement:

    • Manually configured email addresses in the entitlement: When using the Google Cloud console, these email addresses are listed in the Notify when access is granted field in the Additional notifications section of the entitlement. When using the gcloud CLI or the REST API, these email addresses are listed in the adminEmailRecipients field.
  • Requester of a grant:

    • Email address of the grant requester if they are a Cloud Identity user.
    • Additional email addresses added by the requester while requesting the grant: When using Google Cloud console, these email addresses are listed in the Email addresses to receive updates about this grant field. When using gcloud CLI or the REST API, these email addresses are listed in the additionalEmailRecipients field.

Privileged Access Manager sends emails to these email addresses for the following events:

Recipients Event
Eligible requesters of an entitlement When the entitlement is created and becomes available for use
Grant approvers for an entitlement When a grant is requested and it requires approval
Requester of a grant
  • When the grant is successfully activated or fails to be activated
  • When the grant ends
  • When the grant is denied
  • When the grant expires (it was not approved or denied within 24 hours)
  • When the grant revoked
Administrator of the entitlement
  • When the grant is successfully activated or fails to be activated
  • When the grant ends

Pub/Sub notifications

Privileged Access Manager is integrated with Cloud Asset Inventory. You can use Cloud Asset Inventory feeds feature to receive notifications about all grant changes through Pub/Sub. The asset type to use for grants is privilegedaccessmanager.googleapis.com/Grant.

What's next