Console
    Start free

    Remediate excessive permissions with Privileged Access Manager

    If the IAM recommender identifies that a principal has excessive permissions, you can remediate the finding by transitioning the principal's permanent role binding to a temporary, on-demand entitlement in Privileged Access Manager (PAM).

    This approach lets you achieve a least privilege posture without the risk of permanently revoking access that might be needed for infrequent but critical tasks.

    Before you begin

    1. Ensure that Privileged Access Manager is onboarded and enabled for the resource (project, folder, or organization) where the role is granted.
    2. Verify that you have the permissions required to complete this guide .

    Required roles and permissions

    To get the permissions that you need to complete the tasks in this guide, ask your administrator to grant you the following IAM roles on your Google Cloud project:

    For more information about granting roles, see Manage access to projects, folders, and organizations .

    These predefined roles contain the permissions required to complete the tasks in this guide. To see the exact permissions that are required, expand the Required permissionssection:

    Required permissions

    The following permissions are required to complete the tasks in this guide:

    • To view role recommendations:
      • recommender.iamPolicyInsights.list
      • recommender.iamPolicyRecommendations.list
      • resourcemanager.projects.get
    • To create PAM entitlements:
      • privilegedaccessmanager.entitlements.create
      • privilegedaccessmanager.entitlements.list
      • privilegedaccessmanager.locations.list
      • privilegedaccessmanager.locations.get
      • resourcemanager.projects.get
      • resourcemanager.projects.setIamPolicy

    You might also be able to get these permissions with custom roles or other predefined roles .

    Transition a role to a Privileged Access Manager entitlement

    When you transition a role to a Privileged Access Manager entitlement, IAM recommender coordinates with Privileged Access Manager to create an entitlement and remove the original permanent role binding. You can do this from either the Security Insightspage or the IAMpage in the Google Cloud console.

    Security Insights

    To transition a role from the Security Insightspage, do the following:

    1. In the Google Cloud console, go to the IAM & Admin > Security Insightspage.

      Go to Security Insights

    2. Locate the Top groups with excess permissionswidget.

    3. For the group that you want to remediate permissions for, click the corresponding link in the Insightscolumn.

    4. For the insight type that you want to address, click View recommendation.

    5. In the Overviewpage, select Remove role and grant on-demand access to the role.

    6. To create an entitlement with the required role, enter the required details, and click Apply. The Roleand Resourcefields in the form are pre-populated based on the recommendation. The Durationdefaults to 8 hours. For detailed instructions, see Create entitlements .

      Privileged Access Manager creates a new entitlement based on your configuration and removes the permanent role binding from the resource's allow policy.

      Access changes take 1–2 minutes to take effect.

    IAM

    To transition a role from the IAMpage, do the following:

    1. In the Google Cloud console, go to the IAMpage.

      Go to IAM

    2. In the list of principals, locate the group that you want to remediate permissions for.

    3. To view recommendations for that group principal, click the insight in the Security insightscolumn.

    4. In the Overviewpage, select Remove role and grant on-demand access to the role.

    5. To create an entitlement with the required role, enter the required details, and click Apply. The Roleand Resourcefields in the form are pre-populated based on the recommendation. The Durationdefaults to 8 hours. For detailed instructions, see Create entitlements .

      Privileged Access Manager creates a new entitlement based on your configuration and removes the permanent role binding from the resource's allow policy.

      Access changes take 1–2 minutes to take effect.

    Revert a recommendation

    To revert a recommendation, see Revert recommendations .

    After you revert the recommendation, the system restores the original IAM binding and deletes the created Privileged Access Manager entitlement.

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: