Privileged Access Manager overview

You can use Privileged Access Manager (PAM) to control just-in-time temporary privilege elevation for select principals, and to view audit logs afterwards to find out who had access to what and when.

To allow temporary elevation, you create an entitlement in PAM, and add the following attributes to it:

  • A set of principals who are allowed to request a grant against the entitlement.

  • Whether a justification is required for that grant.

  • A set of roles to temporarily grant. IAM conditions can be set on the roles.

  • The maximum duration a grant can last.

  • Optional: Whether requests need approval from a select set of principals, and whether those principals need to justify their approval.

  • Optional: Additional stakeholders to be notified about important events, such as grants and pending approvals.

A principal that's been added as a requester to an entitlement can request a grant against that entitlement. If successful, they are granted the roles listed in the entitlement until the end of the grant duration, after which the roles are revoked by PAM.

What's next