View Privileged Access Manager settings

As a Privileged Access Manager settings viewer, you can view the Privileged Access Manager settings for an organization, folder, or project.

Before you begin

To get the permissions that you need to view Privileged Access Manager settings, ask your administrator to grant you the following IAM roles on the organization, folder, or project:

To view settings: PAM Settings Viewer (roles/privilegedaccessmanager.settingsViewer)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to view Privileged Access Manager settings. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to view Privileged Access Manager settings:

To view settings:
- privilegedaccessmanager.settings.get
- privilegedaccessmanager.settings.fetchEffective

You might also be able to get these permissions with custom roles or other predefined roles.

View settings

Console

Go to the Privileged Access Manager page.

Go to Privileged Access Manager
Select the organization, folder, or project that you want to view Privileged Access Manager settings for.
Click the Settings tab.

The Settings page displays the Privileged Access Manager settings details for the selected resource.

REST

You can view the following settings for a resource:

Individual settings that are directly set on the resource.

Effective settings that are set on the resource or inherited from its parent resource.

View individual settings for a resource

The Privileged Access Manager API's getSettings method views Privileged Access Manager settings.

Before using any of the request data, make the following replacements:

SCOPE: The organization, folder, or project that you want to retrieve the settings for, in the format of organizations/ORGANIZATION_ID, folders/FOLDER_ID, or projects/PROJECT_ID. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.

HTTP method and URL:

GET https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings"

PowerShell (Windows)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:


{
  "createTime": "2025-05-18T10:10:10.101010101Z",
  "emailNotificationSettings": {
    "customNotificationBehavior": {
      "adminNotifications": {
        "grantActivated": "ENABLED",
        "grantActivationFailed": "DISABLED",
        "grantEnded": "ENABLED",
        "grantExternallyModified": "ENABLED"
      },
      "approverNotifications": {
        "pendingApproval": "ENABLED"
      },
      "requesterNotifications": {
        "entitlementAssigned": "ENABLED",
        "grantActivated": "ENABLED",
        "grantExpired": "ENABLED",
        "grantRevoked": "ENABLED"
      }
    }
  },
  "etag": "\"ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md\"",
  "name": "SCOPE/locations/global/settings",
  "serviceAccountApproverSettings": {
    "enabled": true
  },
  "updateTime": "2025-05-18T10:10:10.101010101Z"
}

View effective settings on a resource

The Privileged Access Manager API's fetchEffectiveSettings method views Privileged Access Manager settings.

Before using any of the request data, make the following replacements:

SCOPE: The organization, folder, or project that you want to retrieve the settings for, in the format of organizations/ORGANIZATION_ID, folders/FOLDER_ID, or projects/PROJECT_ID. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.

HTTP method and URL:

GET https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global:effectiveSettings

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global:effectiveSettings"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global:effectiveSettings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "emailNotificationSettings": {
    "customNotificationBehavior": {
      "adminNotifications": {
        "notifyGrantActivated": "true",
        "notifyGrantActivationFailed": "true",
        "notifyGrantEnded": "true",
        "notifyGrantExternallyModified": "true"
      },
      "approverNotifications": {
        "notifyPendingApproval": "true"
      },
      "requesterNotifications": {
        "notifyEntitlementAssigned": "true",
        "notifyEntitlementUpdated": "true",
        "notifyGrantActivated": "true",
        "notifyGrantActivationFailed": "true",
        "notifyGrantEnded": "true",
        "notifyGrantExpired": "true",
        "notifyGrantExternallyModified": "true",
        "notifyGrantRevoked": "true"
      }
    }
  },
  "parent": "SCOPE/locations/global",
  "serviceAccountApproverSettings": {}
}

What's next

Create entitlements

View Privileged Access Manager settings Stay organized with collections Save and categorize content based on your preferences.

Before you begin

Required permissions

View settings

Console

REST

View individual settings for a resource

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

View effective settings on a resource

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

What's next

View Privileged Access Manager settings