Berechtigungen und Einrichtung von Privileged Access Manager
Mit Sammlungen den Überblick behalten
Sie können Inhalte basierend auf Ihren Einstellungen speichern und kategorisieren.
Bevor Sie Berechtigungen und Genehmigungen für Privileged Access Manager erstellen, ändern oder verwalten können, müssen Ihre Hauptkonten die entsprechenden Berechtigungen haben.
Der Dienst muss außerdem auf Organisations-, Ordner- oder Projektebene eingerichtet werden.
Bitten Sie Ihren Administrator, Ihnen die folgenden IAM-Rollen für die Organisation, den Ordner oder das Projekt zuzuweisen, um die Berechtigungen zu erhalten, die Sie für die Arbeit mit Berechtigungen und Erteilungen benötigen:
Berechtigungen erstellen, aktualisieren und löschen:
Administrator von Privileged Access Manager (roles/privilegedaccessmanager.admin). Zusätzlich entweder Ordner-IAM-Administrator (roles/resourcemanager.folderIamAdmin), Projekt-IAM-Administrator (roles/resourcemanager.projectIamAdmin) oder Sicherheitsadministrator (roles/iam.securityAdmin)
Diese vordefinierten Rollen enthalten die Berechtigungen, die zum Arbeiten mit Berechtigungen und Erteilungen erforderlich sind. Erweitern Sie den Abschnitt Erforderliche Berechtigungen, um die erforderlichen Berechtigungen anzuzeigen:
Erforderliche Berechtigungen
Die folgenden Berechtigungen sind erforderlich, um mit Berechtigungen und Erteilungen zu arbeiten:
So aktivieren Sie den Privileged Access Manager auf Organisations-, Ordner- oder Projektebene:
Wählen Sie die Organisation, den Ordner oder das Projekt aus, für das Sie den Privileged Access Manager aktivieren möchten.
Klicken Sie auf PAM aktivieren, um den Dienst für den ausgewählten Ressourcenbereich zu aktivieren.
Wenn Sie aufgefordert werden, dem Privileged Access Manager-Dienst-Agent die Rolle Privileged Access Manager-Dienst-Agent zu erteilen, um Berechtigungseskalierungen zu verwalten, klicken Sie auf Rolle gewähren.
Achten Sie darauf, dass der Privileged Access Manager-Dienstagent nicht durch die folgenden Sicherheitsmaßnahmen blockiert wird:
VPC Service Controls: Fügen Sie den Dienstagent von Privileged Access Manager den entsprechenden Zugriffsebenen hinzu oder fügen Sie dem Perimeter eine Eingangsregel hinzu, um den Dienstagent zuzulassen.
Klicken Sie auf Einrichtung abschließen.
E-Mail-Adresse des Privileged Access Managers zulassen
Fügen Sie E-Mail-Konten und ‑Gruppen, die E-Mail-Benachrichtigungen von Privileged Access Manager erhalten, pam-noreply@google.com zu den Zulassungslisten hinzu, damit die E-Mails nicht blockiert werden.
[[["Leicht verständlich","easyToUnderstand","thumb-up"],["Mein Problem wurde gelöst","solvedMyProblem","thumb-up"],["Sonstiges","otherUp","thumb-up"]],[["Schwer verständlich","hardToUnderstand","thumb-down"],["Informationen oder Beispielcode falsch","incorrectInformationOrSampleCode","thumb-down"],["Benötigte Informationen/Beispiele nicht gefunden","missingTheInformationSamplesINeed","thumb-down"],["Problem mit der Übersetzung","translationIssue","thumb-down"],["Sonstiges","otherDown","thumb-down"]],["Zuletzt aktualisiert: 2025-08-28 (UTC)."],[[["\u003cp\u003ePrincipals require specific Identity and Access Management (IAM) permissions to create, modify, or manage Privileged Access Manager entitlements and grants, which must be set up at the organization, folder, or project level.\u003c/p\u003e\n"],["\u003cp\u003eRequesting, approving, or denying grants does not require any specific Privileged Access Manager permissions.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003ePrivileged Access Manager Admin\u003c/code\u003e role or \u003ccode\u003ePrivileged Access Manager Viewer\u003c/code\u003e role are necessary to manage or view entitlements and grants respectively.\u003c/p\u003e\n"],["\u003cp\u003eTo enable Privileged Access Manager, you must grant the \u003ccode\u003ePrivileged Access Manager Service Agent\u003c/code\u003e role to the Privileged Access Manager Service Agent at the organization, folder, or project level.\u003c/p\u003e\n"],["\u003cp\u003eTo ensure email notifications are not blocked, \u003ccode\u003epam-noreply@google.com\u003c/code\u003e must be added to allow lists.\u003c/p\u003e\n"]]],[],null,["# Privileged Access Manager permissions and setup\n\nBefore you can start creating, modifying, or managing Privileged Access Manager\nentitlements and grants, your principals must have the appropriate permissions.\nThe service must also be set up at the organization, folder, or project level.\n\nPrincipals [requesting grants](/iam/docs/pam-request-temporary-elevated-access)\nand [approving or denying the grants](/iam/docs/pam-approve-deny-grants) don't\nrequire any Privileged Access Manager-specific permissions.\n\nBefore you begin\n----------------\n\nEnsure that you have the required Identity and Access Management (IAM) permissions to\nset up and manage Privileged Access Manager permissions.\n\n\nTo get the permissions that\nyou need to work with entitlements and grants,\n\nask your administrator to grant you the\nfollowing IAM roles on the organization, folder, or project:\n\n- To create, update, and delete entitlements for an organization: [Privileged Access Manager Admin](/iam/docs/understanding-roles#privilegedaccessmanager.admin) (`roles/privilegedaccessmanager.admin`) and [Security Admin](/iam/docs/understanding-roles#iam.securityAdmin) (`roles/iam.securityAdmin`)\n- To create, update, and delete entitlements for a folder: [](/iam/docs/roles-permissions/resourcemanager#resourcemanager.folderAdmin)[Privileged Access Manager Admin](/iam/docs/understanding-roles#privilegedaccessmanager.admin) and [Folder IAM Admin](/iam/docs/understanding-roles#resourcemanager.folderAdmin) (`roles/resourcemanager.folderAdmin`)\n- To create, update, and delete entitlements for a project: [](/iam/docs/roles-permissions/resourcemanager#resourcemanager.projectIamAdmin)[Privileged Access Manager Admin](/iam/docs/understanding-roles#privilegedaccessmanager.admin) and [Project IAM Admin](/iam/docs/understanding-roles#resourcemanager.projectIamAdmin) (`roles/resourcemanager.projectIamAdmin`)\n- To view entitlements and grants: [](/iam/docs/roles-permissions/privilegedaccessmanager#privilegedaccessmanager.viewer)[Privileged Access Manager Viewer](/iam/docs/understanding-roles#privilegedaccessmanager.viewer) (`roles/privilegedaccessmanager.viewer`)\n- To view audit logs: [Logs Viewer](/iam/docs/understanding-roles#logging.viewer) (`roles/logs.viewer`)\n\n \u003cbr /\u003e\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nThese predefined roles contain\n\nthe permissions required to work with entitlements and grants. To see the exact permissions that are\nrequired, expand the **Required permissions** section:\n\n\n#### Required permissions\n\nThe following permissions are required to work with entitlements and grants:\n\n- To enable Privileged Access Manager at an organization level:\n - ` privilegedaccessmanager.locations.checkOnboardingStatus `\n - ` resourcemanager.organizations.get `\n - ` resourcemanager.organizations.getIamPolicy `\n - ` resourcemanager.organizations.setIamPolicy `\n - ` serviceusage.services.enable`\n- To manage entitlements and grants for an organization:\n - ` resourcemanager.organizations.get `\n - ` resourcemanager.organizations.setIamPolicy `\n - ` privilegedaccessmanager.entitlements.create `\n - ` privilegedaccessmanager.entitlements.delete `\n - ` privilegedaccessmanager.entitlements.get `\n - ` privilegedaccessmanager.entitlements.list `\n - ` privilegedaccessmanager.entitlements.setIamPolicy `\n - ` privilegedaccessmanager.grants.get `\n - ` privilegedaccessmanager.grants.list `\n - ` privilegedaccessmanager.grants.revoke `\n - ` privilegedaccessmanager.operations.delete `\n - ` privilegedaccessmanager.operations.get `\n - ` privilegedaccessmanager.operations.list`\n- To view entitlements and grants for an organization:\n - ` resourcemanager.organizations.get `\n - ` privilegedaccessmanager.entitlements.get `\n - ` privilegedaccessmanager.entitlements.list `\n - ` privilegedaccessmanager.grants.get `\n - ` privilegedaccessmanager.grants.list `\n - ` privilegedaccessmanager.operations.get `\n - ` privilegedaccessmanager.operations.list`\n- To enable Privileged Access Manager at a folder level:\n - ` privilegedaccessmanager.locations.checkOnboardingStatus `\n - ` resourcemanager.folders.get `\n - ` resourcemanager.folders.getIamPolicy `\n - ` resourcemanager.folders.setIamPolicy `\n - ` serviceusage.services.enable`\n- To manage entitlements and grants for a folder:\n - ` resourcemanager.folders.get `\n - ` resourcemanager.folders.setIamPolicy `\n - ` privilegedaccessmanager.entitlements.create `\n - ` privilegedaccessmanager.entitlements.delete `\n - ` privilegedaccessmanager.entitlements.get `\n - ` privilegedaccessmanager.entitlements.list `\n - ` privilegedaccessmanager.entitlements.setIamPolicy `\n - ` privilegedaccessmanager.grants.get `\n - ` privilegedaccessmanager.grants.list `\n - ` privilegedaccessmanager.grants.revoke `\n - ` privilegedaccessmanager.operations.delete `\n - ` privilegedaccessmanager.operations.get `\n - ` privilegedaccessmanager.operations.list`\n- To view entitlements and grants for a folder:\n - ` resourcemanager.folders.get `\n - ` privilegedaccessmanager.entitlements.get `\n - ` privilegedaccessmanager.entitlements.list `\n - ` privilegedaccessmanager.grants.get `\n - ` privilegedaccessmanager.grants.list `\n - ` privilegedaccessmanager.operations.get `\n - ` privilegedaccessmanager.operations.list`\n- To enable Privileged Access Manager at a project level:\n - ` privilegedaccessmanager.locations.checkOnboardingStatus `\n - ` resourcemanager.projects.get `\n - ` resourcemanager.projects.getIamPolicy `\n - ` resourcemanager.projects.setIamPolicy `\n - ` serviceusage.services.enable`\n- To manage entitlements and grants for a project:\n - ` resourcemanager.projects.get `\n - ` resourcemanager.projects.getIamPolicy `\n - ` privilegedaccessmanager.entitlements.create `\n - ` privilegedaccessmanager.entitlements.delete `\n - ` privilegedaccessmanager.entitlements.get `\n - ` privilegedaccessmanager.entitlements.list `\n - ` privilegedaccessmanager.entitlements.setIamPolicy `\n - ` privilegedaccessmanager.grants.get `\n - ` privilegedaccessmanager.grants.list `\n - ` privilegedaccessmanager.grants.revoke `\n - ` privilegedaccessmanager.operations.delete `\n - ` privilegedaccessmanager.operations.get `\n - ` privilegedaccessmanager.operations.list`\n- To view entitlements and grants for a project:\n - ` resourcemanager.projects.get `\n - ` privilegedaccessmanager.entitlements.get `\n - ` privilegedaccessmanager.entitlements.list `\n - ` privilegedaccessmanager.grants.get `\n - ` privilegedaccessmanager.grants.list `\n - ` privilegedaccessmanager.operations.get `\n - ` privilegedaccessmanager.operations.list`\n- To view audit logs: ` logging.logEntries.list`\n\n\nYou might also be able to get\nthese permissions\nwith [custom roles](/iam/docs/creating-custom-roles) or\nother [predefined roles](/iam/docs/roles-overview#predefined).\n\n### Enable Privileged Access Manager\n\nTo enable Privileged Access Manager, you need to\ngrant the [Privileged Access Manager Service Agent](/iam/docs/understanding-roles#privilegedaccessmanager.serviceAgent) role to the\nPrivileged Access Manager Service Agent for your organization, folder, or project.\n\nTo grant this role to the service agent, do the following:\n\n1. Go to the **Privileged Access Manager** page.\n\n [Go to Privileged Access Manager](https://console.cloud.google.com/iam-admin/pam/entitlements/)\n2. Select the organization, folder, or project that you want to enable\n Privileged Access Manager for.\n\n3. Click **Set up PAM** to start the setup process.\n\n4. To grant access to the **Privileged Access Manager Service Agent** role to\n the [Privileged Access Manager service agent](/iam/docs/service-account-types#service-agents)\n to manage privilege escalations, click **Grant role**.\n\n | **Note:** When you grant the role to the service agent for an organization or folder, the role is granted to all the folders and projects below them in the [resource hierarchy](/resource-manager/docs/cloud-platform-resource-hierarchy).\n5. Make sure the Privileged Access Manager service agent is added to the\n following security controls:\n\n - [Deny policies](/iam/docs/deny-overview): Add the Privileged Access Manager\n service agent to the\n [`exceptionPrincipals`](/iam/docs/deny-overview#deny-rules)\n field of your policies.\n\n - [VPC Service Controls](/vpc-service-controls/docs/overview): Add the\n Privileged Access Manager service agent to the appropriate\n [access levels](/access-context-manager/docs/create-basic-access-level#members-example),\n or add an [ingress rule](/vpc-service-controls/docs/ingress-egress-rules)\n to the perimeter to allow the service agent.\n\n6. Click **Complete setup**.\n\n### Allow the Privileged Access Manager email address\n\nFor email accounts and groups who receive Privileged Access Manager email\nnotifications, add `pam-noreply@google.com` to your allow lists so the email\nisn't blocked.\n\nWhat's next\n-----------\n\n- [Create entitlements](/iam/docs/pam-create-entitlements)"]]