Before you can start creating, modifying, or managing PAM entitlements and grants, your principals must have the appropriate permissions. The service must also be set up at the organization, folder, or project level.
Principals requesting grants and approving or denying the grants don't require any PAM-specific permissions.
Roles
To get the permissions that you need to work with entitlements and grants, ask your administrator to grant you the following IAM roles on the organization, folder, or project:
-
To create, update, and delete entitlements:
Privileged Access Manager Admin (
roles/privilegedaccessmanager.admin). Additionally, either Folder IAM Admin (roles/resourcemanager.folderIamAdmin), Project IAM Admin (roles/resourcemanager.projectIamAdmin), or Security Admin (roles/iam.securityAdmin) -
To view entitlements and grants:
Privileged Access Manager Viewer (
roles/privilegedaccessmanager.viewer) -
To view audit logs:
Logs Viewer (
roles/logs.viewer)
For more information about granting roles, see Manage access.
These predefined roles contain the permissions required to work with entitlements and grants. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to work with entitlements and grants:
-
To enable PAM at the organization, folder, or project scope:
-
privilegedaccessmanager.locations.checkOnboardingStatus -
resourcemanager.organizations.get -
resourcemanager.organizations.getIamPolicy -
resourcemanager.organizations.setIamPolicy -
resourcemanager.folders.get -
resourcemanager.folders.getIamPolicy -
resourcemanager.folders.setIamPolicy -
resourcemanager.projects.get -
resourcemanager.projects.getIamPolicy -
resourcemanager.projects.setIamPolicy
-
-
To manage entitlements and grants:
-
resourcemanager.folders.get -
resourcemanager.organizations.get -
resourcemanager.projects.get -
privilegedaccessmanager.entitlements.create -
privilegedaccessmanager.entitlements.delete -
privilegedaccessmanager.entitlements.get -
privilegedaccessmanager.entitlements.list -
privilegedaccessmanager.entitlements.setIamPolicy -
privilegedaccessmanager.grants.get -
privilegedaccessmanager.grants.list -
privilegedaccessmanager.grants.revoke -
privilegedaccessmanager.locations.get -
privilegedaccessmanager.locations.list -
privilegedaccessmanager.operations.delete -
privilegedaccessmanager.operations.get -
privilegedaccessmanager.operations.list
-
-
To view entitlements and grants:
-
resourcemanager.folders.get -
resourcemanager.organizations.get -
resourcemanager.projects.get -
privilegedaccessmanager.entitlements.get -
privilegedaccessmanager.entitlements.list -
privilegedaccessmanager.grants.get -
privilegedaccessmanager.grants.list -
privilegedaccessmanager.locations.get -
privilegedaccessmanager.locations.list -
privilegedaccessmanager.operations.get -
privilegedaccessmanager.operations.list
-
-
To view audit logs:
logging.logEntries.list
You might also be able to get these permissions with custom roles or other predefined roles.
Enable Privileged Access Manager
After you have the permissions required to enable PAM, complete the following steps:
Go to the Privileged Access Manager page.
Select the organization, folder, or project that you want to enable PAM for.
Click Enable PAM to enable the service for the selected resource scope.
When asked to grant the Privileged Access Manager Service Agent role to the Privileged Access Manager Service Agent to manage privilege escalations, click Grant role.
Click Complete setup.
Allow the PAM email address
For email accounts and groups who receive PAM email
notifications, add pam-noreply@google.com to your allow lists so the email
isn't blocked.