Privileged Access Manager permissions and setup

Before you can start creating, modifying, or managing Privileged Access Manager entitlements and grants, your principals must have the appropriate permissions. The service must also be set up at the organization, folder, or project level.

Principals requesting grants and approving or denying the grants don't require any Privileged Access Manager-specific permissions.

Roles

To get the permissions that you need to work with entitlements and grants, ask your administrator to grant you the following IAM roles on the organization, folder, or project:

  • To create, update, and delete entitlements: Privileged Access Manager Admin (roles/privilegedaccessmanager.admin). Additionally, either Folder IAM Admin (roles/resourcemanager.folderIamAdmin), Project IAM Admin (roles/resourcemanager.projectIamAdmin), or Security Admin (roles/iam.securityAdmin)
  • To view entitlements and grants: Privileged Access Manager Viewer (roles/privilegedaccessmanager.viewer)
  • To view audit logs: Logs Viewer (roles/logs.viewer)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to work with entitlements and grants. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to work with entitlements and grants:

  • To enable Privileged Access Manager at the organization, folder, or project scope:
    • privilegedaccessmanager.locations.checkOnboardingStatus
    • resourcemanager.organizations.get
    • resourcemanager.organizations.getIamPolicy
    • resourcemanager.organizations.setIamPolicy
    • resourcemanager.folders.get
    • resourcemanager.folders.getIamPolicy
    • resourcemanager.folders.setIamPolicy
    • resourcemanager.projects.get
    • resourcemanager.projects.getIamPolicy
    • resourcemanager.projects.setIamPolicy
  • To manage entitlements and grants:
    • resourcemanager.folders.get
    • resourcemanager.organizations.get
    • resourcemanager.projects.get
    • privilegedaccessmanager.entitlements.create
    • privilegedaccessmanager.entitlements.delete
    • privilegedaccessmanager.entitlements.get
    • privilegedaccessmanager.entitlements.list
    • privilegedaccessmanager.entitlements.setIamPolicy
    • privilegedaccessmanager.grants.get
    • privilegedaccessmanager.grants.list
    • privilegedaccessmanager.grants.revoke
    • privilegedaccessmanager.locations.get
    • privilegedaccessmanager.locations.list
    • privilegedaccessmanager.operations.delete
    • privilegedaccessmanager.operations.get
    • privilegedaccessmanager.operations.list
  • To view entitlements and grants:
    • resourcemanager.folders.get
    • resourcemanager.organizations.get
    • resourcemanager.projects.get
    • privilegedaccessmanager.entitlements.get
    • privilegedaccessmanager.entitlements.list
    • privilegedaccessmanager.grants.get
    • privilegedaccessmanager.grants.list
    • privilegedaccessmanager.locations.get
    • privilegedaccessmanager.locations.list
    • privilegedaccessmanager.operations.get
    • privilegedaccessmanager.operations.list
  • To view audit logs: logging.logEntries.list

You might also be able to get these permissions with custom roles or other predefined roles.

Enable Privileged Access Manager

After you have the permissions required to enable Privileged Access Manager, complete the following steps:

  1. Go to the Privileged Access Manager page.

    Go to Privileged Access Manager

  2. Select the organization, folder, or project that you want to enable Privileged Access Manager for.

  3. Click Enable PAM to enable the service for the selected resource scope.

  4. When asked to grant the Privileged Access Manager Service Agent role to the Privileged Access Manager service agent to manage privilege escalations, click Grant role.

  5. Make sure the Privileged Access Manager service agent isn't blocked by the following security controls:

  6. Click Complete setup.

Allow the Privileged Access Manager email address

For email accounts and groups who receive Privileged Access Manager email notifications, add pam-noreply@google.com to your allow lists so the email isn't blocked.

What's next