Privileged Access Manager 角色和权限

本页面列出了 Privileged Access Manager 的 IAM 角色和权限。如需搜索所有角色和权限，请参阅角色和权限索引。

Privileged Access Manager 角色

Role Permissions

Role	Permissions
Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Full access to Privileged Access Manager resources.	`privilegedaccessmanager.*` `privilegedaccessmanager.entitlements.create` `privilegedaccessmanager.entitlements.delete` `privilegedaccessmanager.entitlements.get` `privilegedaccessmanager.entitlements.list` `privilegedaccessmanager.entitlements.setIamPolicy` `privilegedaccessmanager.entitlements.update` `privilegedaccessmanager.grants.get` `privilegedaccessmanager.grants.list` `privilegedaccessmanager.grants.revoke` `privilegedaccessmanager.locations.checkOnboardingStatus` `privilegedaccessmanager.locations.get` `privilegedaccessmanager.locations.list` `privilegedaccessmanager.operations.delete` `privilegedaccessmanager.operations.get` `privilegedaccessmanager.operations.list` `resourcemanager.projects.get`
Privileged Access Manager Folder Service Agent (`roles/privilegedaccessmanager.folderServiceAgent`) Gives privileged access manager service account access to modify IAM policies on GCP folders Warning: Do not grant service agent roles to any principals except service agents.	`resourcemanager.folders.get` `resourcemanager.folders.getIamPolicy` `resourcemanager.folders.setIamPolicy`
Privileged Access Manager Organization Service Agent (`roles/privilegedaccessmanager.organizationServiceAgent`) Gives privileged access manager service account access to modify IAM policies on GCP organizations Warning: Do not grant service agent roles to any principals except service agents.	`resourcemanager.organizations.get` `resourcemanager.organizations.getIamPolicy` `resourcemanager.organizations.setIamPolicy`
Privileged Access Manager Project Service Agent (`roles/privilegedaccessmanager.projectServiceAgent`) Gives privileged access manager service account access to modify IAM policies on GCP projects Warning: Do not grant service agent roles to any principals except service agents.	`resourcemanager.projects.get` `resourcemanager.projects.getIamPolicy` `resourcemanager.projects.setIamPolicy`
Privileged Access Manager Service Agent (`roles/privilegedaccessmanager.serviceAgent`) Gives privileged access manager service account access to modify IAM policies on GCP resources Warning: Do not grant service agent roles to any principals except service agents.	`resourcemanager.folders.get` `resourcemanager.folders.getIamPolicy` `resourcemanager.folders.setIamPolicy` `resourcemanager.organizations.get` `resourcemanager.organizations.getIamPolicy` `resourcemanager.organizations.setIamPolicy` `resourcemanager.projects.get` `resourcemanager.projects.getIamPolicy` `resourcemanager.projects.setIamPolicy`
Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`) Readonly access to Privileged Access Manager resources.	`privilegedaccessmanager.entitlements.get` `privilegedaccessmanager.entitlements.list` `privilegedaccessmanager.grants.get` `privilegedaccessmanager.grants.list` `privilegedaccessmanager.locations.get` `privilegedaccessmanager.locations.list` `privilegedaccessmanager.operations.get` `privilegedaccessmanager.operations.list` `resourcemanager.projects.get`

Privileged Access Manager Admin

(roles/privilegedaccessmanager.admin)

Full access to Privileged Access Manager resources.

privilegedaccessmanager.*

privilegedaccessmanager.entitlements.create
privilegedaccessmanager.entitlements.delete
privilegedaccessmanager.entitlements.get
privilegedaccessmanager.entitlements.list
privilegedaccessmanager.entitlements.setIamPolicy
privilegedaccessmanager.entitlements.update
privilegedaccessmanager.grants.get
privilegedaccessmanager.grants.list
privilegedaccessmanager.grants.revoke
privilegedaccessmanager.locations.checkOnboardingStatus
privilegedaccessmanager.locations.get
privilegedaccessmanager.locations.list
privilegedaccessmanager.operations.delete
privilegedaccessmanager.operations.get
privilegedaccessmanager.operations.list

resourcemanager.projects.get

Privileged Access Manager Folder Service Agent

(roles/privilegedaccessmanager.folderServiceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP folders

resourcemanager.folders.get

resourcemanager.folders.getIamPolicy

resourcemanager.folders.setIamPolicy

Privileged Access Manager Organization Service Agent

(roles/privilegedaccessmanager.organizationServiceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP organizations

resourcemanager.organizations.get

resourcemanager.organizations.getIamPolicy

resourcemanager.organizations.setIamPolicy

Privileged Access Manager Project Service Agent

(roles/privilegedaccessmanager.projectServiceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP projects

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy

Privileged Access Manager Service Agent

(roles/privilegedaccessmanager.serviceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP resources

resourcemanager.folders.get

resourcemanager.folders.getIamPolicy

resourcemanager.folders.setIamPolicy

resourcemanager.organizations.get

resourcemanager.organizations.getIamPolicy

resourcemanager.organizations.setIamPolicy

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy

Privileged Access Manager Viewer

(roles/privilegedaccessmanager.viewer)

Readonly access to Privileged Access Manager resources.

privilegedaccessmanager.entitlements.get

privilegedaccessmanager.entitlements.list

privilegedaccessmanager.grants.get

privilegedaccessmanager.grants.list

privilegedaccessmanager.locations.get

privilegedaccessmanager.locations.list

privilegedaccessmanager.operations.get

privilegedaccessmanager.operations.list

resourcemanager.projects.get

Privileged Access Manager 权限

权限	以下角色拥有此权限
`privilegedaccessmanager.entitlements.create`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.entitlements.delete`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.entitlements.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)
`privilegedaccessmanager.entitlements.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)
`privilegedaccessmanager.entitlements.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.entitlements.update`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.grants.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)
`privilegedaccessmanager.grants.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)
`privilegedaccessmanager.grants.revoke`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.locations.checkOnboardingStatus`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)
`privilegedaccessmanager.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)
`privilegedaccessmanager.operations.delete`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)
`privilegedaccessmanager.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`)

Privileged Access Manager 角色和权限