在开始创建、修改或管理 Privileged Access Manager 权限和授权之前,您的主账号必须具备相应的权限。服务还必须在组织、文件夹或项目级别进行设置。
请求授权和批准或拒绝授权的主账号不需要任何 Privileged Access Manager 特有的权限。
准备工作
确保您拥有所需的 Identity and Access Management (IAM) 权限,以便设置和管理 Privileged Access Manager 权限。
如需获得处理使用权和授权所需的权限,请让管理员向您授予组织、文件夹或项目的以下 IAM 角色:
-
Privileged Access Manager Admin (
roles/privilegedaccessmanager.admin) 和 Security Admin (roles/iam.securityAdmin)(如需为组织创建、更新和删除使用权) -
为文件夹创建、更新和删除使用权:
Privileged Access Manager Admin 和 Folder IAM Admin (
roles/resourcemanager.folderAdmin) -
为项目创建、更新和删除使用权:
Privileged Access Manager Admin 和 Project IAM Admin (
roles/resourcemanager.projectIamAdmin) -
查看使用权和授权:
Privileged Access Manager Viewer (
roles/privilegedaccessmanager.viewer) -
查看审核日志:Logs Viewer (
roles/logs.viewer)
如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限。
这些预定义角色包含使用权限和授权所需的权限。如需查看所需的确切权限,请展开所需权限部分:
所需权限
您需要具备以下权限才能处理使用权和授权:
-
在组织级别启用 Privileged Access Manager:
-
privilegedaccessmanager.locations.checkOnboardingStatus -
resourcemanager.organizations.get -
resourcemanager.organizations.getIamPolicy -
resourcemanager.organizations.setIamPolicy -
serviceusage.services.enable
-
-
管理组织的使用权和授权:
-
resourcemanager.organizations.get -
resourcemanager.organizations.setIamPolicy -
privilegedaccessmanager.entitlements.create -
privilegedaccessmanager.entitlements.delete -
privilegedaccessmanager.entitlements.get -
privilegedaccessmanager.entitlements.list -
privilegedaccessmanager.entitlements.setIamPolicy -
privilegedaccessmanager.grants.get -
privilegedaccessmanager.grants.list -
privilegedaccessmanager.grants.revoke -
privilegedaccessmanager.operations.delete -
privilegedaccessmanager.operations.get -
privilegedaccessmanager.operations.list
-
-
查看组织的使用权和授权:
-
resourcemanager.organizations.get -
privilegedaccessmanager.entitlements.get -
privilegedaccessmanager.entitlements.list -
privilegedaccessmanager.grants.get -
privilegedaccessmanager.grants.list -
privilegedaccessmanager.operations.get -
privilegedaccessmanager.operations.list
-
-
在文件夹级别启用 Privileged Access Manager:
-
privilegedaccessmanager.locations.checkOnboardingStatus -
resourcemanager.folders.get -
resourcemanager.folders.getIamPolicy -
resourcemanager.folders.setIamPolicy -
serviceusage.services.enable
-
-
为文件夹管理使用权和授权:
-
resourcemanager.folders.get -
resourcemanager.folders.setIamPolicy -
privilegedaccessmanager.entitlements.create -
privilegedaccessmanager.entitlements.delete -
privilegedaccessmanager.entitlements.get -
privilegedaccessmanager.entitlements.list -
privilegedaccessmanager.entitlements.setIamPolicy -
privilegedaccessmanager.grants.get -
privilegedaccessmanager.grants.list -
privilegedaccessmanager.grants.revoke -
privilegedaccessmanager.operations.delete -
privilegedaccessmanager.operations.get -
privilegedaccessmanager.operations.list
-
-
查看文件夹的使用权和授权:
-
resourcemanager.folders.get -
privilegedaccessmanager.entitlements.get -
privilegedaccessmanager.entitlements.list -
privilegedaccessmanager.grants.get -
privilegedaccessmanager.grants.list -
privilegedaccessmanager.operations.get -
privilegedaccessmanager.operations.list
-
-
在项目级层启用 Privileged Access Manager:
-
privilegedaccessmanager.locations.checkOnboardingStatus -
resourcemanager.projects.get -
resourcemanager.projects.getIamPolicy -
resourcemanager.projects.setIamPolicy -
serviceusage.services.enable
-
-
管理项目的使用权和授权:
-
resourcemanager.projects.get -
resourcemanager.projects.getIamPolicy -
privilegedaccessmanager.entitlements.create -
privilegedaccessmanager.entitlements.delete -
privilegedaccessmanager.entitlements.get -
privilegedaccessmanager.entitlements.list -
privilegedaccessmanager.entitlements.setIamPolicy -
privilegedaccessmanager.grants.get -
privilegedaccessmanager.grants.list -
privilegedaccessmanager.grants.revoke -
privilegedaccessmanager.operations.delete -
privilegedaccessmanager.operations.get -
privilegedaccessmanager.operations.list
-
-
查看项目的使用权和授权:
-
resourcemanager.projects.get -
privilegedaccessmanager.entitlements.get -
privilegedaccessmanager.entitlements.list -
privilegedaccessmanager.grants.get -
privilegedaccessmanager.grants.list -
privilegedaccessmanager.operations.get -
privilegedaccessmanager.operations.list
-
-
查看审核日志:
logging.logEntries.list
启用 Privileged Access Manager
如需启用 Privileged Access Manager,您需要向组织、文件夹或项目的 Privileged Access Manager Service Agent 授予 Privileged Access Manager Service Agent 角色。
如需向服务代理授予此角色,请执行以下操作:
前往 Privileged Access Manager 页面。
选择要为其启用 Privileged Access Manager 的组织、文件夹或项目。
点击设置 PAM 以开始设置流程。
如需向 Privileged Access Manager 服务代理授予对 Privileged Access Manager Service Agent 角色的访问权限,以便管理权限升级,请点击授予角色。
确保将 Privileged Access Manager 服务代理添加到以下安全控制措施中:
拒绝政策:将 Privileged Access Manager 服务代理添加到政策的
exceptionPrincipals字段。VPC Service Controls:将 Privileged Access Manager 服务代理添加到相应的访问权限级别,或向边界添加入站流量规则以允许服务代理。
点击完成设置。
允许 Privileged Access Manager 电子邮件地址
对于接收 Privileged Access Manager 电子邮件通知的电子邮件账号和群组,请将 pam-noreply@google.com 添加到许可名单中,以免电子邮件遭到屏蔽。