Privileged Access Manager permissions and setup

Before you can start creating, modifying, or managing Privileged Access Manager entitlements and grants, your principals must have the appropriate permissions. The service must also be set up at the organization, folder, or project level.

Principals requesting grants and approving or denying the grants don't require any Privileged Access Manager-specific permissions.

Before you begin

Ensure that you have the required Identity and Access Management (IAM) permissions to set up and manage Privileged Access Manager permissions.

To get the permissions that you need to work with entitlements and grants, ask your administrator to grant you the following IAM roles on the organization, folder, or project:

To create, update, and delete entitlements for an organization: Privileged Access Manager Admin ( roles/privilegedaccessmanager.admin ) and Security Admin ( roles/iam.securityAdmin )
To create, update, and delete entitlements for a folder: Privileged Access Manager Admin and Folder IAM Admin ( roles/resourcemanager.folderAdmin )
To create, update, and delete entitlements for a project: Privileged Access Manager Admin and Project IAM Admin ( roles/resourcemanager.projectIamAdmin )
To view entitlements and grants: Privileged Access Manager Viewer ( roles/privilegedaccessmanager.viewer )
To view audit logs: Logs Viewer ( roles/logs.viewer )

For more information about granting roles, see Manage access to projects, folders, and organizations .

These predefined roles contain the permissions required to work with entitlements and grants. To see the exact permissions that are required, expand the Required permissionssection:

Required permissions

The following permissions are required to work with entitlements and grants:

To enable Privileged Access Manager at an organization level:
- privilegedaccessmanager.locations.checkOnboardingStatus
- resourcemanager.organizations.get
- resourcemanager.organizations.getIamPolicy
- resourcemanager.organizations.setIamPolicy
- serviceusage.services.enable
To manage entitlements and grants for an organization:
- resourcemanager.organizations.get
- resourcemanager.organizations.setIamPolicy
- privilegedaccessmanager.entitlements.create
- privilegedaccessmanager.entitlements.delete
- privilegedaccessmanager.entitlements.get
- privilegedaccessmanager.entitlements.list
- privilegedaccessmanager.entitlements.setIamPolicy
- privilegedaccessmanager.grants.get
- privilegedaccessmanager.grants.list
- privilegedaccessmanager.grants.revoke
- privilegedaccessmanager.operations.delete
- privilegedaccessmanager.operations.get
- privilegedaccessmanager.operations.list
To view entitlements and grants for an organization:
- resourcemanager.organizations.get
- privilegedaccessmanager.entitlements.get
- privilegedaccessmanager.entitlements.list
- privilegedaccessmanager.grants.get
- privilegedaccessmanager.grants.list
- privilegedaccessmanager.operations.get
- privilegedaccessmanager.operations.list
To enable Privileged Access Manager at a folder level:
- privilegedaccessmanager.locations.checkOnboardingStatus
- resourcemanager.folders.get
- resourcemanager.folders.getIamPolicy
- resourcemanager.folders.setIamPolicy
- serviceusage.services.enable
To manage entitlements and grants for a folder:
- resourcemanager.folders.get
- resourcemanager.folders.setIamPolicy
- privilegedaccessmanager.entitlements.create
- privilegedaccessmanager.entitlements.delete
- privilegedaccessmanager.entitlements.get
- privilegedaccessmanager.entitlements.list
- privilegedaccessmanager.entitlements.setIamPolicy
- privilegedaccessmanager.grants.get
- privilegedaccessmanager.grants.list
- privilegedaccessmanager.grants.revoke
- privilegedaccessmanager.operations.delete
- privilegedaccessmanager.operations.get
- privilegedaccessmanager.operations.list
To view entitlements and grants for a folder:
- resourcemanager.folders.get
- privilegedaccessmanager.entitlements.get
- privilegedaccessmanager.entitlements.list
- privilegedaccessmanager.grants.get
- privilegedaccessmanager.grants.list
- privilegedaccessmanager.operations.get
- privilegedaccessmanager.operations.list
To enable Privileged Access Manager at a project level:
- privilegedaccessmanager.locations.checkOnboardingStatus
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.setIamPolicy
- serviceusage.services.enable
To manage entitlements and grants for a project:
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- privilegedaccessmanager.entitlements.create
- privilegedaccessmanager.entitlements.delete
- privilegedaccessmanager.entitlements.get
- privilegedaccessmanager.entitlements.list
- privilegedaccessmanager.entitlements.setIamPolicy
- privilegedaccessmanager.grants.get
- privilegedaccessmanager.grants.list
- privilegedaccessmanager.grants.revoke
- privilegedaccessmanager.operations.delete
- privilegedaccessmanager.operations.get
- privilegedaccessmanager.operations.list
To view entitlements and grants for a project:
- resourcemanager.projects.get
- privilegedaccessmanager.entitlements.get
- privilegedaccessmanager.entitlements.list
- privilegedaccessmanager.grants.get
- privilegedaccessmanager.grants.list
- privilegedaccessmanager.operations.get
- privilegedaccessmanager.operations.list
To view audit logs: logging.logEntries.list

You might also be able to get these permissions with custom roles or other predefined roles .

Enable Privileged Access Manager

To enable Privileged Access Manager, you need to grant the Privileged Access Manager Service Agent role to the Privileged Access Manager Service Agent for your organization, folder, or project.

To grant this role to the service agent, do the following:

Go to the Privileged Access Managerpage.

Go to Privileged Access Manager
Select the organization, folder, or project that you want to enable Privileged Access Manager for.
Click Set up PAMto start the setup process.
To grant access to the Privileged Access Manager Service Agentrole to the Privileged Access Manager service agent to manage privilege escalations, click Grant role.

Note: When you grant the role to the service agent for an organization or folder, the role is granted to all the folders and projects below them in the resource hierarchy .
Make sure the Privileged Access Manager service agent is added to the following security controls:
- Deny policies : Add the Privileged Access Manager service agent to the exceptionPrincipals field of your policies.
- VPC Service Controls : Add the Privileged Access Manager service agent to the appropriate access levels , or add an ingress rule to the perimeter to allow the service agent.
Click Complete setup.

Allow the Privileged Access Manager email address

For email accounts and groups who receive Privileged Access Manager email notifications, add pam-noreply@google.com to your allow lists so the email isn't blocked.

What's next

Create entitlements