Best practices for Privileged Access Manager

This document describes best practices for using Privileged Access Manager to control just-in-time temporary privilege elevation with Identity and Access Management (IAM).

Manage IAM policy size

Privileged Access Manager grants time-bound access by adding a conditional IAM role binding to a resource's policy. Each active Privileged Access Manager grant consumes space and counts toward your standard IAM policy size limits. For more information, see IAM quotas and limits.

If a resource's IAM policy reaches its maximum size, new Privileged Access Manager grant requests for that resource fail until you free space in the policy.

If you are approaching or have reached the IAM policy size limit, then you can do the following:

Revoke existing grants

Revoke active Privileged Access Manager grants that are no longer needed to remove their corresponding IAM binding from the policy and free up space. For instructions, see Revoke grants.

Optimize your Privileged Access Manager setup

To optimize your Privileged Access Manager entitlements and reduce the space each grant consumes in an IAM policy, do the following:

  1. Consolidate roles within entitlements:

    1. Consolidate multiple predefined roles into fewer custom roles to reduce the space consumed.
    2. Use a single broader role—for example, roles/reader instead of multiple service-specific reader roles.
    3. Remove redundant roles and overlapping permissions. For example, if all permissions in Role A are also in Role B, remove Role A from the entitlement.

  2. Reduce the number and complexity of IAM conditions:

    1. If you use a list of multiple resource names in OR conditions, consider using a tag condition instead.
    2. For grants using scope customization, don't use resource-name-based filters.

  3. Grant access at the minimum required scope.

    Following the principle of least privilege, set up Privileged Access Manager entitlements to grant access at the narrowest possible scope. For example, if a user only needs access to a single Cloud Storage bucket in a project, then grant access to that bucket instead of the entire project, folder, or organization.

What's next