Before you can start creating, modifying, or managing Privileged Access Manager entitlements and grants, your principals must have the appropriate permissions. The service must also be set up at the organization, folder, or project level.
Principals requesting grants and approving or denying the grants don't require any Privileged Access Manager-specific permissions.
Roles
To get the permissions that you need to work with entitlements and grants, ask your administrator to grant you the following IAM roles on the organization, folder, or project:
-
To create, update, and delete entitlements:
Privileged Access Manager Admin (
roles/privilegedaccessmanager.admin
). Additionally, either Folder IAM Admin (roles/resourcemanager.folderIamAdmin
), Project IAM Admin (roles/resourcemanager.projectIamAdmin
), or Security Admin (roles/iam.securityAdmin
) -
To view entitlements and grants:
Privileged Access Manager Viewer (
roles/privilegedaccessmanager.viewer
) -
To view audit logs:
Logs Viewer (
roles/logs.viewer
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
These predefined roles contain the permissions required to work with entitlements and grants. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to work with entitlements and grants:
-
To enable Privileged Access Manager at the organization, folder, or project scope:
-
privilegedaccessmanager.locations.checkOnboardingStatus
-
resourcemanager.organizations.get
-
resourcemanager.organizations.getIamPolicy
-
resourcemanager.organizations.setIamPolicy
-
resourcemanager.folders.get
-
resourcemanager.folders.getIamPolicy
-
resourcemanager.folders.setIamPolicy
-
resourcemanager.projects.get
-
resourcemanager.projects.getIamPolicy
-
resourcemanager.projects.setIamPolicy
-
-
To manage entitlements and grants:
-
resourcemanager.folders.get
-
resourcemanager.organizations.get
-
resourcemanager.projects.get
-
privilegedaccessmanager.entitlements.create
-
privilegedaccessmanager.entitlements.delete
-
privilegedaccessmanager.entitlements.get
-
privilegedaccessmanager.entitlements.list
-
privilegedaccessmanager.entitlements.setIamPolicy
-
privilegedaccessmanager.grants.get
-
privilegedaccessmanager.grants.list
-
privilegedaccessmanager.grants.revoke
-
privilegedaccessmanager.locations.get
-
privilegedaccessmanager.locations.list
-
privilegedaccessmanager.operations.delete
-
privilegedaccessmanager.operations.get
-
privilegedaccessmanager.operations.list
-
-
To view entitlements and grants:
-
resourcemanager.folders.get
-
resourcemanager.organizations.get
-
resourcemanager.projects.get
-
privilegedaccessmanager.entitlements.get
-
privilegedaccessmanager.entitlements.list
-
privilegedaccessmanager.grants.get
-
privilegedaccessmanager.grants.list
-
privilegedaccessmanager.locations.get
-
privilegedaccessmanager.locations.list
-
privilegedaccessmanager.operations.get
-
privilegedaccessmanager.operations.list
-
-
To view audit logs:
logging.logEntries.list
You might also be able to get these permissions with custom roles or other predefined roles.
Enable Privileged Access Manager
After you have the permissions required to enable Privileged Access Manager, complete the following steps:
Go to the Privileged Access Manager page.
Select the organization, folder, or project that you want to enable Privileged Access Manager for.
Click Enable PAM to enable the service for the selected resource scope.
When asked to grant the Privileged Access Manager Service Agent role to the Privileged Access Manager service agent to manage privilege escalations, click Grant role.
Make sure the Privileged Access Manager service agent isn't blocked by the following security controls:
Deny policies: Add the Privileged Access Manager service agent to the
exceptionPrincipals
field of your policies.VPC Service Controls: Add the Privileged Access Manager service agent to the appropriate access levels, or add an ingress rule to the perimeter to allow the service agent.
Click Complete setup.
Allow the Privileged Access Manager email address
For email accounts and groups who receive Privileged Access Manager email
notifications, add pam-noreply@google.com
to your allow lists so the email
isn't blocked.