Privileged Access Manager permissions and setup

Before you can start creating, modifying, or managing Privileged Access Manager entitlements and grants, your principals must have the appropriate permissions. The service must also be set up at the organization, folder, or project level.

Principals requesting grants and approving or denying the grants don't require any Privileged Access Manager-specific permissions.

Before you begin

Ensure that you have the required Identity and Access Management (IAM) permissions to set up and manage Privileged Access Manager permissions.

To get the permissions that you need to work with entitlements and grants, ask your administrator to grant you the following IAM roles on the organization, folder, or project:

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to work with entitlements and grants. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to work with entitlements and grants:

  • To enable Privileged Access Manager at an organization level:
    • privilegedaccessmanager.locations.checkOnboardingStatus
    • resourcemanager.organizations.get
    • resourcemanager.organizations.getIamPolicy
    • resourcemanager.organizations.setIamPolicy
    • serviceusage.services.enable
  • To manage entitlements and grants for an organization:
    • resourcemanager.organizations.get
    • resourcemanager.organizations.setIamPolicy
    • privilegedaccessmanager.entitlements.create
    • privilegedaccessmanager.entitlements.delete
    • privilegedaccessmanager.entitlements.get
    • privilegedaccessmanager.entitlements.list
    • privilegedaccessmanager.entitlements.setIamPolicy
    • privilegedaccessmanager.grants.get
    • privilegedaccessmanager.grants.list
    • privilegedaccessmanager.grants.revoke
    • privilegedaccessmanager.operations.delete
    • privilegedaccessmanager.operations.get
    • privilegedaccessmanager.operations.list
  • To view entitlements and grants for an organization:
    • resourcemanager.organizations.get
    • privilegedaccessmanager.entitlements.get
    • privilegedaccessmanager.entitlements.list
    • privilegedaccessmanager.grants.get
    • privilegedaccessmanager.grants.list
    • privilegedaccessmanager.operations.get
    • privilegedaccessmanager.operations.list
  • To enable Privileged Access Manager at a folder level:
    • privilegedaccessmanager.locations.checkOnboardingStatus
    • resourcemanager.folders.get
    • resourcemanager.folders.getIamPolicy
    • resourcemanager.folders.setIamPolicy
    • serviceusage.services.enable
  • To manage entitlements and grants for a folder:
    • resourcemanager.folders.get
    • resourcemanager.folders.setIamPolicy
    • privilegedaccessmanager.entitlements.create
    • privilegedaccessmanager.entitlements.delete
    • privilegedaccessmanager.entitlements.get
    • privilegedaccessmanager.entitlements.list
    • privilegedaccessmanager.entitlements.setIamPolicy
    • privilegedaccessmanager.grants.get
    • privilegedaccessmanager.grants.list
    • privilegedaccessmanager.grants.revoke
    • privilegedaccessmanager.operations.delete
    • privilegedaccessmanager.operations.get
    • privilegedaccessmanager.operations.list
  • To view entitlements and grants for a folder:
    • resourcemanager.folders.get
    • privilegedaccessmanager.entitlements.get
    • privilegedaccessmanager.entitlements.list
    • privilegedaccessmanager.grants.get
    • privilegedaccessmanager.grants.list
    • privilegedaccessmanager.operations.get
    • privilegedaccessmanager.operations.list
  • To enable Privileged Access Manager at a project level:
    • privilegedaccessmanager.locations.checkOnboardingStatus
    • resourcemanager.projects.get
    • resourcemanager.projects.getIamPolicy
    • resourcemanager.projects.setIamPolicy
    • serviceusage.services.enable
  • To manage entitlements and grants for a project:
    • resourcemanager.projects.get
    • resourcemanager.projects.getIamPolicy
    • privilegedaccessmanager.entitlements.create
    • privilegedaccessmanager.entitlements.delete
    • privilegedaccessmanager.entitlements.get
    • privilegedaccessmanager.entitlements.list
    • privilegedaccessmanager.entitlements.setIamPolicy
    • privilegedaccessmanager.grants.get
    • privilegedaccessmanager.grants.list
    • privilegedaccessmanager.grants.revoke
    • privilegedaccessmanager.operations.delete
    • privilegedaccessmanager.operations.get
    • privilegedaccessmanager.operations.list
  • To view entitlements and grants for a project:
    • resourcemanager.projects.get
    • privilegedaccessmanager.entitlements.get
    • privilegedaccessmanager.entitlements.list
    • privilegedaccessmanager.grants.get
    • privilegedaccessmanager.grants.list
    • privilegedaccessmanager.operations.get
    • privilegedaccessmanager.operations.list
  • To view audit logs: logging.logEntries.list

You might also be able to get these permissions with custom roles or other predefined roles.

Enable Privileged Access Manager

To enable Privileged Access Manager, you need to grant the Privileged Access Manager Service Agent role to the Privileged Access Manager Service Agent for your organization, folder, or project.

To grant this role to the service agent, do the following:

  1. Go to the Privileged Access Manager page.

    Go to Privileged Access Manager

  2. Select the organization, folder, or project that you want to enable Privileged Access Manager for.

  3. Click Set up PAM to start the setup process.

  4. To grant access to the Privileged Access Manager Service Agent role to the Privileged Access Manager service agent to manage privilege escalations, click Grant role.

  5. Make sure the Privileged Access Manager service agent is added to the following security controls:

  6. Click Complete setup.

Allow the Privileged Access Manager email address

For email accounts and groups who receive Privileged Access Manager email notifications, add [email protected] to your allow lists so the email isn't blocked.

What's next