Console
    Start free

    Configure Privileged Access Manager settings

    As a Privileged Access Manager settings administrator, you can configure some additional settings for the approval workflow and notification preferences.

    The settings that you configure at the organization or folder level are automatically applied to their child resources, unless you explicitly override the settings at the child resource level.

    You can enable service accounts as eligible approvers. This setting lets administrators add service accounts and identities in workload identity pools as approvers when creating or modifying an entitlement.

    You can customize resource-wide notification preferences for various Privileged Access Manager events by selectively disabling notifications for specific events and specific personas, or disabling all notifications.

    Before you begin

    To get the permissions that you need to configure Privileged Access Manager settings, ask your administrator to grant you the following IAM roles:

    • Configure settings for your project, folder, or organization: PAM Settings Admin ( roles/privilegedaccessmanager.settingsAdmin ) on your organization
    • View settings for your project, folder, or organization: PAM Settings Viewer ( roles/privilegedaccessmanager.settingsViewer ) on your project, folder, or organization

    These predefined roles contain the permissions required to configure Privileged Access Manager settings. To see the exact permissions that are required, expand the Required permissionssection:

    Required permissions

    The following permissions are required to configure Privileged Access Manager settings:

    • Configure settings: privilegedaccessmanager.settings.update
    • View settings:
      • privilegedaccessmanager.settings.get
      • privilegedaccessmanager.settings.fetchEffective

    Enable service accounts as approvers

    Console

    1. Go to the Privileged Access Managerpage.

      Go to Privileged Access Manager

    2. Select the organization, folder, or project.

    3. Click the Settingstab. In the Settings sourcesection, Inherit from parentis selected by default.

    4. To override settings inherited from the parent resource on a child resource, in the Service account as approversection, select Override inheritance.

    5. To enable the service account as approver setting, turn on the Enable Service Account As Approvertoggle and click Save.

    gcloud

    The gcloud alpha pam settings update command configures additional Privileged Access Manager.

    Before using any of the command data below, make the following replacements:

    • RESOURCE_TYPE : Optional. The resource type that you want to update the settings for. Use the value organization , folder , or project .
    • RESOURCE_ID : Used with RESOURCE_TYPE . The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, like my-project . Folder and organization IDs are numeric, like 123456789012 .
    • SA_AS_APPROVER : A boolean value in the serviceAccountApproverSettings field that indicates whether service accounts are allowed to approve grants. The default value is false .
      • If you specify the serviceAccountApproverSettings field with a value, then that setting is applied to your resource.
      • If you specify the serviceAccountApproverSettings field but leave it empty, then the default settings are applied to your resource.
      • If you don't specify the serviceAccountApproverSettings field at all, then your resource inherits the settings from the parent resource.

      If you disable this setting, the grants that require approvals from service accounts won't get approved. If your entitlements have only service accounts as approvers, those entitlements won't be effective.

    • request.json : A file containing the modified settings. To create this file, get the existing settings, save the response in file named request.json , and then modify it to use as the body of your update request. You must include the ETAG in the body to update the latest version of the settings.

    Save the following content in a file called filename.yaml :

     emailNo 
 t 
 i 
 f 
 ica 
 t 
 io 
 n 
 Se 
 tt 
 i 
 n 
 gs 
 : 
  
 cus 
 t 
 omNo 
 t 
 i 
 f 
 ica 
 t 
 io 
 n 
 Behavior 
 : 
  
 admi 
 n 
 No 
 t 
 i 
 f 
 ica 
 t 
 io 
 ns 
 : 
  
 gra 
 nt 
 Ac 
 t 
 iva 
 te 
 d 
 : 
  
  NOTIFICATION_MODE_ 
 1 
 
  
 gra 
 nt 
 Ac 
 t 
 iva 
 t 
 io 
 n 
 Failed 
 : 
  
 DISABLED 
  
 gra 
 nt 
 E 
 n 
 ded 
 : 
  
 ENABLED 
  
 gra 
 nt 
 Ex 
 ternall 
 yModi 
 f 
 ied 
 : 
  
 ENABLED 
  
 approverNo 
 t 
 i 
 f 
 ica 
 t 
 io 
 ns 
 : 
  
 pe 
 n 
 di 
 n 
 gApproval 
 : 
  
  NOTIFICATION_MODE_ 
 2 
 
  
 reques 
 ter 
 No 
 t 
 i 
 f 
 ica 
 t 
 io 
 ns 
 : 
  
 e 
 nt 
 i 
 tle 
 me 
 nt 
 Assig 
 ne 
 d 
 : 
  
 ENABLED 
  
 gra 
 nt 
 Ac 
 t 
 iva 
 te 
 d 
 : 
  
 ENABLED 
  
 gra 
 nt 
 Expired 
 : 
  
  NOTIFICATION_MODE_ 
 3 
 
  
 gra 
 nt 
 Revoked 
 : 
  
 ENABLED 
 e 
 ta 
 g 
 : 
 ' 
 "ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md" 
 ' 
 na 
 me 
 : 
  
  RESOURCE_TYPE 
 
/ RESOURCE_ID 
/loca t 
 io 
 ns 
 /global/se 
 tt 
 i 
 n 
 gs 
 serviceAccou 
 nt 
 ApproverSe 
 tt 
 i 
 n 
 gs 
 : 
  
 e 
 na 
 bled 
 : 
  
  SA_AS_APPROVER

    Execute the following command:

    Linux, macOS, or Cloud Shell

    gcloud  
alpha  
pam  
settings  
update  
 \ 
  
--location = 
global  
 \ 
  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
 \ 
  
--settings-file  
 FILENAME 
.yaml

    Windows (PowerShell)

    gcloud  
alpha  
pam  
settings  
update  
 ` 
  
--location = 
global  
 ` 
  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
 ` 
  
--settings-file  
 FILENAME 
.yaml

    Windows (cmd.exe)

    gcloud  
alpha  
pam  
settings  
update  
^  
--location = 
global  
^  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
^  
--settings-file  
 FILENAME 
.yaml

    You should receive a response similar to the following:

    Parsed [location] resource: RESOURCE_TYPE 
/ RESOURCE_ID 
/locations/global
Request issued for: [global]
Updated location [global].
createTime: '2025-05-18T10:10:10.101010101Z'
emailNotificationSettings:
  customNotificationBehavior:
    adminNotifications:
      grantActivated: ENABLED
      grantActivationFailed: DISABLED
      grantEnded: ENABLED
      grantExternallyModified: ENABLED
    approverNotifications:
      pendingApproval: ENABLED
    requesterNotifications:
      entitlementAssigned: ENABLED
      grantActivated: ENABLED
      grantExpired: ENABLED
      grantRevoked: ENABLED
etag: "ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md1"
name: RESOURCE_TYPE 
/ RESOURCE_ID 
/locations/global/settings
serviceAccountApproverSettings:
  enabled: true
updateTime: '2025-05-18T10:10:40.101010101Z'

    REST

    The Privileged Access Manager API's updateSettings method configures additional Privileged Access Manager.

    Before using any of the request data, make the following replacements:

    • SCOPE : The organization, folder, or project that you want to update the settings for, in the format of organizations/ ORGANIZATION_ID , folders/ FOLDER_ID , or projects/ PROJECT_ID . Project IDs are alphanumeric strings, like my-project . Folder and organization IDs are numeric, like 123456789012 .
    • UPDATED_FIELDS : A comma-separated list of fields that need to be updated in the settings. For example, emailNotificationSettings,serviceAccountApproverSettings .

      To update all fields that can be modified, set the update mask to * .

    • SA_AS_APPROVER : A boolean value in the serviceAccountApproverSettings field that indicates whether service accounts are allowed to approve grants. The default value is false .
      • If you specify the serviceAccountApproverSettings field with a value, then that setting is applied to your resource.
      • If you specify the serviceAccountApproverSettings field but leave it empty, then the default settings are applied to your resource.
      • If you don't specify the serviceAccountApproverSettings field at all, then your resource inherits the settings from the parent resource.

      If you disable this setting, the grants that require approvals from service accounts won't be approved. If your entitlements have only service accounts as approvers, those entitlements aren't effective.

    • request.json : A file containing the modified settings. To create this file, get the existing settings, save the response in file named request.json , and then modify it to use as the body of your update request. You must include the ETAG in the body to update the latest version of the settings.

    HTTP method and URL:

    PATCH https://privilegedaccessmanager.googleapis.com/v1beta/ SCOPE 
/locations/global/settings?updateMask= UPDATED_FIELDS

    Request JSON body:

    {
  "emailNotificationSettings": {
    "customNotificationBehavior": {
      "adminNotifications": {
        "grantActivated": " NOTIFICATION_MODE_1 
",
        "grantActivationFailed": "DISABLED",
        "grantEnded": "ENABLED",
        "grantExternallyModified": "ENABLED"
      },
      "approverNotifications": {
        "pendingApproval": " NOTIFICATION_MODE_2 
"
      },
      "requesterNotifications": {
        "entitlementAssigned": "ENABLED",
        "grantActivated": "ENABLED",
        "grantExpired": " NOTIFICATION_MODE_3 
",
        "grantRevoked": "ENABLED"
      }
    }
  },
  "etag": "\"ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md\"",
  "name": " SCOPE 
/locations/global/settings",
  "serviceAccountApproverSettings": {
    "enabled": SA_AS_APPROVER 
}
}

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
  "name": " SCOPE 
/locations/global/operations/ OPERATION_ID 
",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.privilegedaccessmanager.v1beta.OperationMetadata",
    "createTime": "2024-03-25T01:55:02.544562950Z",
    "target": " SCOPE 
/locations/global/settings",
    "verb": "update",
    "requestedCancellation": false,
    "apiVersion": "v1beta"
  },
  "done": false
}

    To check on the progress of an update operation, you can send a GET request to the following endpoint:

    https://privilegedaccessmanager.googleapis.com/v1beta/ SCOPE 
/locations/global/operations/ OPERATION_ID

    Send a GET request to the following endpoint to list all operations:

    https://privilegedaccessmanager.googleapis.com/v1beta/ SCOPE 
/locations/global/operations

    Customize notification preferences

    Console

    1. Go to the Privileged Access Managerpage.

      Go to Privileged Access Manager

    2. Select the organization, folder, or project.

    3. Click the Settingstab.

    4. In the Notificationssection, Inherit from parentis selected by default.

      The following table shows the default notification preferences:

      Event Admin Requester Approver
      Entitlement assigned
      		 - ✓ -
      Grant requires approval
      		 - - ✓
      Grants are activated
      		 ✓ ✓ -
      Grants are denied
      		 - ✓ -
      Grants are expired
      		 - ✓ -
      Grants have ended
      		 ✓ ✓ -
      Grants are revoked
      		 - ✓ -
      Grants are externally modified
      		 ✓ ✓ -
      Grants activation failed
      		 ✓ ✓ -

    5. To override settings inheritance from the parent, turn on the Send notifications for the following eventstoggle.

    6. To disable notifications for the required PAM event and persona, clear the corresponding checkboxes, and click Save.

    7. To disable all the notifications, clear Send notifications for the following events, and click Save.

    gcloud

    The gcloud alpha pam settings update command configures additional Privileged Access Manager.

    Before using any of the command data below, make the following replacements:

    • RESOURCE_TYPE : Optional. The resource type that you want to update the settings for. Use the value organization , folder , or project .
    • RESOURCE_ID : Used with RESOURCE_TYPE . The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, like my-project . Folder and organization IDs are numeric, like 123456789012 .
    • NOTIFICATION_MODE : In the emailNotificationSettings field, use ENABLED to send notification emails for the event, or DISABLED to prevent them.
      • If you specify the emailNotificationSettings field with a value, then that setting is applied to your resource.
      • If you specify the emailNotificationSettings field but leave it empty, then the default settings are applied to your resource.
      • If you don't specify the emailNotificationSettings field at all, then your resource inherits the settings from the parent resource.
    • request.json : A file containing the modified settings. To create this file, get the existing settings, save the response in file named request.json , and then modify it to use as the body of your update request. You must include the ETAG in the body to update the latest version of the settings.

    Save the following content in a file called filename.yaml :

     emailNo 
 t 
 i 
 f 
 ica 
 t 
 io 
 n 
 Se 
 tt 
 i 
 n 
 gs 
 : 
  
 cus 
 t 
 omNo 
 t 
 i 
 f 
 ica 
 t 
 io 
 n 
 Behavior 
 : 
  
 admi 
 n 
 No 
 t 
 i 
 f 
 ica 
 t 
 io 
 ns 
 : 
  
 gra 
 nt 
 Ac 
 t 
 iva 
 te 
 d 
 : 
  
  NOTIFICATION_MODE_ 
 1 
 
  
 gra 
 nt 
 Ac 
 t 
 iva 
 t 
 io 
 n 
 Failed 
 : 
  
 DISABLED 
  
 gra 
 nt 
 E 
 n 
 ded 
 : 
  
 ENABLED 
  
 gra 
 nt 
 Ex 
 ternall 
 yModi 
 f 
 ied 
 : 
  
 ENABLED 
  
 approverNo 
 t 
 i 
 f 
 ica 
 t 
 io 
 ns 
 : 
  
 pe 
 n 
 di 
 n 
 gApproval 
 : 
  
  NOTIFICATION_MODE_ 
 2 
 
  
 reques 
 ter 
 No 
 t 
 i 
 f 
 ica 
 t 
 io 
 ns 
 : 
  
 e 
 nt 
 i 
 tle 
 me 
 nt 
 Assig 
 ne 
 d 
 : 
  
 ENABLED 
  
 gra 
 nt 
 Ac 
 t 
 iva 
 te 
 d 
 : 
  
 ENABLED 
  
 gra 
 nt 
 Expired 
 : 
  
  NOTIFICATION_MODE_ 
 3 
 
  
 gra 
 nt 
 Revoked 
 : 
  
 ENABLED 
 e 
 ta 
 g 
 : 
 ' 
 "ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md" 
 ' 
 na 
 me 
 : 
  
  RESOURCE_TYPE 
 
/ RESOURCE_ID 
/loca t 
 io 
 ns 
 /global/se 
 tt 
 i 
 n 
 gs 
 serviceAccou 
 nt 
 ApproverSe 
 tt 
 i 
 n 
 gs 
 : 
  
 e 
 na 
 bled 
 : 
  
  SA_AS_APPROVER

    Execute the following command:

    Linux, macOS, or Cloud Shell

    gcloud  
alpha  
pam  
settings  
update  
 \ 
  
--location = 
global  
 \ 
  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
 \ 
  
--settings-file  
 FILENAME 
.yaml

    Windows (PowerShell)

    gcloud  
alpha  
pam  
settings  
update  
 ` 
  
--location = 
global  
 ` 
  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
 ` 
  
--settings-file  
 FILENAME 
.yaml

    Windows (cmd.exe)

    gcloud  
alpha  
pam  
settings  
update  
^  
--location = 
global  
^  
-- RESOURCE_TYPE 
 = 
 RESOURCE_ID 
  
^  
--settings-file  
 FILENAME 
.yaml

    You should receive a response similar to the following:

    Parsed [location] resource: RESOURCE_TYPE 
/ RESOURCE_ID 
/locations/global
Request issued for: [global]
Updated location [global].
createTime: '2025-05-18T10:10:10.101010101Z'
emailNotificationSettings:
  customNotificationBehavior:
    adminNotifications:
      grantActivated: ENABLED
      grantActivationFailed: DISABLED
      grantEnded: ENABLED
      grantExternallyModified: ENABLED
    approverNotifications:
      pendingApproval: ENABLED
    requesterNotifications:
      entitlementAssigned: ENABLED
      grantActivated: ENABLED
      grantExpired: ENABLED
      grantRevoked: ENABLED
etag: "ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md1"
name: RESOURCE_TYPE 
/ RESOURCE_ID 
/locations/global/settings
serviceAccountApproverSettings:
  enabled: true
updateTime: '2025-05-18T10:10:40.101010101Z'

    REST

    The Privileged Access Manager API's updateSettings method configures additional Privileged Access Manager.

    Before using any of the request data, make the following replacements:

    • SCOPE : The organization, folder, or project that you want to update the settings for, in the format of organizations/ ORGANIZATION_ID , folders/ FOLDER_ID , or projects/ PROJECT_ID . Project IDs are alphanumeric strings, like my-project . Folder and organization IDs are numeric, like 123456789012 .
    • UPDATED_FIELDS : A comma-separated list of fields that need to be updated in the settings. For example, emailNotificationSettings,serviceAccountApproverSettings .

      To update all fields that can be modified, set the update mask to * .

    • NOTIFICATION_MODE : In the emailNotificationSettings field, use ENABLED to send notification emails for the event or DISABLED to prevent them.
      • If you specify the emailNotificationSettings field with a value, then that setting is applied to your resource.
      • If you specify the emailNotificationSettings field but leave it empty, then the default settings are applied to your resource.
      • If you don't specify the emailNotificationSettings field at all, then your resource inherits the settings from the parent resource.
    • request.json : A file containing the modified settings. To create this file, get the existing settings, save the response in file named request.json , and then modify it to use as the body of your update request. You must include the ETAG in the body to update the latest version of the settings.

    HTTP method and URL:

    PATCH https://privilegedaccessmanager.googleapis.com/v1beta/ SCOPE 
/locations/global/settings?updateMask= UPDATED_FIELDS

    Request JSON body:

    {
  "emailNotificationSettings": {
    "customNotificationBehavior": {
      "adminNotifications": {
        "grantActivated": " NOTIFICATION_MODE_1 
",
        "grantActivationFailed": "DISABLED",
        "grantEnded": "ENABLED",
        "grantExternallyModified": "ENABLED"
      },
      "approverNotifications": {
        "pendingApproval": " NOTIFICATION_MODE_2 
"
      },
      "requesterNotifications": {
        "entitlementAssigned": "ENABLED",
        "grantActivated": "ENABLED",
        "grantExpired": " NOTIFICATION_MODE_3 
",
        "grantRevoked": "ENABLED"
      }
    }
  },
  "etag": "\"ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md\"",
  "name": " SCOPE 
/locations/global/settings",
  "serviceAccountApproverSettings": {
    "enabled": SA_AS_APPROVER 
}
}

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
  "name": " SCOPE 
/locations/global/operations/ OPERATION_ID 
",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.privilegedaccessmanager.v1beta.OperationMetadata",
    "createTime": "2024-03-25T01:55:02.544562950Z",
    "target": " SCOPE 
/locations/global/settings",
    "verb": "update",
    "requestedCancellation": false,
    "apiVersion": "v1beta"
  },
  "done": false
}

    To check on the progress of an update operation, you can send a GET request to the following endpoint:

    https://privilegedaccessmanager.googleapis.com/v1beta/ SCOPE 
/locations/global/operations/ OPERATION_ID

    Send a GET request to the following endpoint to list all operations:

    https://privilegedaccessmanager.googleapis.com/v1beta/ SCOPE 
/locations/global/operations

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: