Privileged Access Manager roles and permissions
Stay organized with collections Save and categorize content based on your preferences.

This page lists the IAM roles and permissions for Privileged Access Manager. To search through all roles and permissions, see the role and permission index.

Privileged Access Manager roles

Role Permissions

Role	Permissions
Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Full access to Privileged Access Manager resources.	`privilegedaccessmanager.*` `privilegedaccessmanager.entitlements.create` `privilegedaccessmanager.entitlements.delete` `privilegedaccessmanager.entitlements.get` `privilegedaccessmanager.entitlements.list` `privilegedaccessmanager.entitlements.setIamPolicy` `privilegedaccessmanager.entitlements.update` `privilegedaccessmanager.grants.get` `privilegedaccessmanager.grants.list` `privilegedaccessmanager.grants.revoke` `privilegedaccessmanager.locations.checkOnboardingStatus` `privilegedaccessmanager.locations.get` `privilegedaccessmanager.locations.list` `privilegedaccessmanager.operations.delete` `privilegedaccessmanager.operations.get` `privilegedaccessmanager.operations.list` `resourcemanager.projects.get`
Privileged Access Manager Folder Service Agent (`roles/privilegedaccessmanager.folderServiceAgent`) Gives privileged access manager service account access to modify IAM policies on GCP folders Warning: Do not grant service agent roles to any principals except service agents.	`resourcemanager.folders.get` `resourcemanager.folders.getIamPolicy` `resourcemanager.folders.setIamPolicy`
Privileged Access Manager Organization Service Agent (`roles/privilegedaccessmanager.organizationServiceAgent`) Gives privileged access manager service account access to modify IAM policies on GCP organizations Warning: Do not grant service agent roles to any principals except service agents.	`resourcemanager.organizations.get` `resourcemanager.organizations.getIamPolicy` `resourcemanager.organizations.setIamPolicy`
Privileged Access Manager Project Service Agent (`roles/privilegedaccessmanager.projectServiceAgent`) Gives privileged access manager service account access to modify IAM policies on GCP projects Warning: Do not grant service agent roles to any principals except service agents.	`resourcemanager.projects.get` `resourcemanager.projects.getIamPolicy` `resourcemanager.projects.setIamPolicy`
Privileged Access Manager Service Agent (`roles/privilegedaccessmanager.serviceAgent`) Gives privileged access manager service account access to modify IAM policies on GCP resources Warning: Do not grant service agent roles to any principals except service agents.	`resourcemanager.folders.get` `resourcemanager.folders.getIamPolicy` `resourcemanager.folders.setIamPolicy` `resourcemanager.organizations.get` `resourcemanager.organizations.getIamPolicy` `resourcemanager.organizations.setIamPolicy` `resourcemanager.projects.get` `resourcemanager.projects.getIamPolicy` `resourcemanager.projects.setIamPolicy`
Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`) Readonly access to Privileged Access Manager resources.	`privilegedaccessmanager.entitlements.get` `privilegedaccessmanager.entitlements.list` `privilegedaccessmanager.grants.get` `privilegedaccessmanager.grants.list` `privilegedaccessmanager.locations.get` `privilegedaccessmanager.locations.list` `privilegedaccessmanager.operations.get` `privilegedaccessmanager.operations.list` `resourcemanager.projects.get`

Privileged Access Manager Admin

(roles/privilegedaccessmanager.admin)

Full access to Privileged Access Manager resources.

privilegedaccessmanager.*

privilegedaccessmanager.entitlements.create
privilegedaccessmanager.entitlements.delete
privilegedaccessmanager.entitlements.get
privilegedaccessmanager.entitlements.list
privilegedaccessmanager.entitlements.setIamPolicy
privilegedaccessmanager.entitlements.update
privilegedaccessmanager.grants.get
privilegedaccessmanager.grants.list
privilegedaccessmanager.grants.revoke
privilegedaccessmanager.locations.checkOnboardingStatus
privilegedaccessmanager.locations.get
privilegedaccessmanager.locations.list
privilegedaccessmanager.operations.delete
privilegedaccessmanager.operations.get
privilegedaccessmanager.operations.list

resourcemanager.projects.get

Privileged Access Manager Folder Service Agent

(roles/privilegedaccessmanager.folderServiceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP folders

resourcemanager.folders.get

resourcemanager.folders.getIamPolicy

resourcemanager.folders.setIamPolicy

Privileged Access Manager Organization Service Agent

(roles/privilegedaccessmanager.organizationServiceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP organizations

resourcemanager.organizations.get

resourcemanager.organizations.getIamPolicy

resourcemanager.organizations.setIamPolicy

Privileged Access Manager Project Service Agent

(roles/privilegedaccessmanager.projectServiceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP projects

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy

Privileged Access Manager Service Agent

(roles/privilegedaccessmanager.serviceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP resources

resourcemanager.folders.get

resourcemanager.folders.getIamPolicy

resourcemanager.folders.setIamPolicy

resourcemanager.organizations.get

resourcemanager.organizations.getIamPolicy

resourcemanager.organizations.setIamPolicy

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy

Privileged Access Manager Viewer

(roles/privilegedaccessmanager.viewer)

Readonly access to Privileged Access Manager resources.

privilegedaccessmanager.entitlements.get

privilegedaccessmanager.entitlements.list

privilegedaccessmanager.grants.get

privilegedaccessmanager.grants.list

privilegedaccessmanager.locations.get

privilegedaccessmanager.locations.list

privilegedaccessmanager.operations.get

privilegedaccessmanager.operations.list

resourcemanager.projects.get

Privileged Access Manager permissions

Permission	Included in roles
`privilegedaccessmanager.entitlements.create`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.entitlements.delete`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.entitlements.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)
`privilegedaccessmanager.entitlements.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)
`privilegedaccessmanager.entitlements.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.entitlements.update`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.grants.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)
`privilegedaccessmanager.grants.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)
`privilegedaccessmanager.grants.revoke`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.locations.checkOnboardingStatus`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)
`privilegedaccessmanager.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)
`privilegedaccessmanager.operations.delete`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)
`privilegedaccessmanager.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)

Privileged Access Manager roles and permissions
Stay organized with collections Save and categorize content based on your preferences.