Privileged Access Manager roles and permissions

This page lists the IAM roles and permissions for Privileged Access Manager. To search through all roles and permissions, see the role and permission index.

Privileged Access Manager roles

Role Permissions

Role	Permissions
Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Full access to Privileged Access Manager resources.	`privilegedaccessmanager.entitlements.` `privilegedaccessmanager.entitlements.create` `privilegedaccessmanager.entitlements.delete` `privilegedaccessmanager.entitlements.get` `privilegedaccessmanager.entitlements.list` `privilegedaccessmanager.entitlements.setIamPolicy` `privilegedaccessmanager.entitlements.update` `privilegedaccessmanager.grants.` `privilegedaccessmanager.grants.get` `privilegedaccessmanager.grants.list` `privilegedaccessmanager.grants.revoke` `privilegedaccessmanager.locations.` `privilegedaccessmanager.locations.checkOnboardingStatus` `privilegedaccessmanager.locations.get` `privilegedaccessmanager.locations.list` `privilegedaccessmanager.operations.` `privilegedaccessmanager.operations.delete` `privilegedaccessmanager.operations.get` `privilegedaccessmanager.operations.list` `privilegedaccessmanager.settings.fetchEffective` `privilegedaccessmanager.settings.get` `resourcemanager.projects.get`
Privilegedaccessmanager Editor (`roles/privilegedaccessmanager.editor`) Editor role for privilegedaccessmanager	`privilegedaccessmanager.entitlements.get` `privilegedaccessmanager.entitlements.list` `privilegedaccessmanager.grants.get` `privilegedaccessmanager.grants.list` `privilegedaccessmanager.locations.get` `privilegedaccessmanager.locations.list` `privilegedaccessmanager.operations.get` `privilegedaccessmanager.operations.list` `privilegedaccessmanager.settings.fetchEffective` `privilegedaccessmanager.settings.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`) Readonly access to Privileged Access Manager resources.	`privilegedaccessmanager.entitlements.get` `privilegedaccessmanager.entitlements.list` `privilegedaccessmanager.grants.get` `privilegedaccessmanager.grants.list` `privilegedaccessmanager.locations.get` `privilegedaccessmanager.locations.list` `privilegedaccessmanager.operations.get` `privilegedaccessmanager.operations.list` `privilegedaccessmanager.settings.fetchEffective` `privilegedaccessmanager.settings.get` `resourcemanager.projects.get`
Privileged Access Manager Settings Admin ^Beta (`roles/privilegedaccessmanager.settingsAdmin`) Administrator of Privileged Access Manager Settings.	`privilegedaccessmanager.operations.get` `privilegedaccessmanager.settings.*` `privilegedaccessmanager.settings.fetchEffective` `privilegedaccessmanager.settings.get` `privilegedaccessmanager.settings.update`
Privileged Access Manager Settings Viewer ^Beta (`roles/privilegedaccessmanager.settingsViewer`) Readonly access to Privileged Access Manager Settings & Effective Settings.	`privilegedaccessmanager.settings.fetchEffective` `privilegedaccessmanager.settings.get`

Privileged Access Manager Admin

(roles/privilegedaccessmanager.admin)

Full access to Privileged Access Manager resources.

privilegedaccessmanager.entitlements.*

privilegedaccessmanager.entitlements.create
privilegedaccessmanager.entitlements.delete
privilegedaccessmanager.entitlements.get
privilegedaccessmanager.entitlements.list
privilegedaccessmanager.entitlements.setIamPolicy
privilegedaccessmanager.entitlements.update

privilegedaccessmanager.grants.*

privilegedaccessmanager.grants.get
privilegedaccessmanager.grants.list
privilegedaccessmanager.grants.revoke

privilegedaccessmanager.locations.*

privilegedaccessmanager.locations.checkOnboardingStatus
privilegedaccessmanager.locations.get
privilegedaccessmanager.locations.list

privilegedaccessmanager.operations.*

privilegedaccessmanager.operations.delete
privilegedaccessmanager.operations.get
privilegedaccessmanager.operations.list

privilegedaccessmanager.settings.fetchEffective

privilegedaccessmanager.settings.get

resourcemanager.projects.get

Privilegedaccessmanager Editor

(roles/privilegedaccessmanager.editor)

Editor role for privilegedaccessmanager

privilegedaccessmanager.entitlements.get

privilegedaccessmanager.entitlements.list

privilegedaccessmanager.grants.get

privilegedaccessmanager.grants.list

privilegedaccessmanager.locations.get

privilegedaccessmanager.locations.list

privilegedaccessmanager.operations.get

privilegedaccessmanager.operations.list

privilegedaccessmanager.settings.fetchEffective

privilegedaccessmanager.settings.get

resourcemanager.projects.get

resourcemanager.projects.list

Privileged Access Manager Viewer

(roles/privilegedaccessmanager.viewer)

Readonly access to Privileged Access Manager resources.

privilegedaccessmanager.entitlements.get

privilegedaccessmanager.entitlements.list

privilegedaccessmanager.grants.get

privilegedaccessmanager.grants.list

privilegedaccessmanager.locations.get

privilegedaccessmanager.locations.list

privilegedaccessmanager.operations.get

privilegedaccessmanager.operations.list

privilegedaccessmanager.settings.fetchEffective

privilegedaccessmanager.settings.get

resourcemanager.projects.get

Privileged Access Manager Settings Admin ^Beta

(roles/privilegedaccessmanager.settingsAdmin)

Administrator of Privileged Access Manager Settings.

privilegedaccessmanager.operations.get

privilegedaccessmanager.settings.*

privilegedaccessmanager.settings.fetchEffective
privilegedaccessmanager.settings.get
privilegedaccessmanager.settings.update

Privileged Access Manager Settings Viewer ^Beta

(roles/privilegedaccessmanager.settingsViewer)

Readonly access to Privileged Access Manager Settings & Effective Settings.

privilegedaccessmanager.settings.fetchEffective

privilegedaccessmanager.settings.get

Service agent roles

Service agent roles should only be granted to service agents.

Role Permissions

Role	Permissions
Privileged Access Manager Folder Service Agent (`roles/privilegedaccessmanager.folderServiceAgent`) Gives privileged access manager service account access to modify IAM policies on GCP folders Warning: Do not grant service agent roles to any principals except service agents.	`resourcemanager.folders.get` `resourcemanager.folders.getIamPolicy` `resourcemanager.folders.setIamPolicy`
Privileged Access Manager Organization Service Agent (`roles/privilegedaccessmanager.organizationServiceAgent`) Gives privileged access manager service account access to modify IAM policies on GCP organizations Warning: Do not grant service agent roles to any principals except service agents.	`iam.roles.get` `resourcemanager.organizations.get` `resourcemanager.organizations.getIamPolicy` `resourcemanager.organizations.setIamPolicy`
Privileged Access Manager Project Service Agent (`roles/privilegedaccessmanager.projectServiceAgent`) Gives privileged access manager service account access to modify IAM policies on GCP projects Warning: Do not grant service agent roles to any principals except service agents.	`iam.roles.get` `resourcemanager.projects.get` `resourcemanager.projects.getIamPolicy` `resourcemanager.projects.setIamPolicy`
Privileged Access Manager Service Agent (`roles/privilegedaccessmanager.serviceAgent`) Gives privileged access manager service account access to modify IAM policies on GCP resources Warning: Do not grant service agent roles to any principals except service agents.	`iam.roles.get` `resourcemanager.folders.get` `resourcemanager.folders.getIamPolicy` `resourcemanager.folders.setIamPolicy` `resourcemanager.organizations.get` `resourcemanager.organizations.getIamPolicy` `resourcemanager.organizations.setIamPolicy` `resourcemanager.projects.get` `resourcemanager.projects.getIamPolicy` `resourcemanager.projects.setIamPolicy`

Privileged Access Manager Folder Service Agent

(roles/privilegedaccessmanager.folderServiceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP folders

resourcemanager.folders.get

resourcemanager.folders.getIamPolicy

resourcemanager.folders.setIamPolicy

Privileged Access Manager Organization Service Agent

(roles/privilegedaccessmanager.organizationServiceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP organizations

iam.roles.get

resourcemanager.organizations.get

resourcemanager.organizations.getIamPolicy

resourcemanager.organizations.setIamPolicy

Privileged Access Manager Project Service Agent

(roles/privilegedaccessmanager.projectServiceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP projects

iam.roles.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy

Privileged Access Manager Service Agent

(roles/privilegedaccessmanager.serviceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP resources

iam.roles.get

resourcemanager.folders.get

resourcemanager.folders.getIamPolicy

resourcemanager.folders.setIamPolicy

resourcemanager.organizations.get

resourcemanager.organizations.getIamPolicy

resourcemanager.organizations.setIamPolicy

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy

Privileged Access Manager permissions

Permission	Included in roles
`privilegedaccessmanager.entitlements.create`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.entitlements.delete`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.entitlements.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privilegedaccessmanager Editor (`roles/privilegedaccessmanager.editor`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`) Support User (`roles/iam.supportUser`)
`privilegedaccessmanager.entitlements.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privilegedaccessmanager Editor (`roles/privilegedaccessmanager.editor`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`privilegedaccessmanager.entitlements.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.entitlements.update`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.grants.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privilegedaccessmanager Editor (`roles/privilegedaccessmanager.editor`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`) Support User (`roles/iam.supportUser`)
`privilegedaccessmanager.grants.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privilegedaccessmanager Editor (`roles/privilegedaccessmanager.editor`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`privilegedaccessmanager.grants.revoke`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.locations.checkOnboardingStatus`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privilegedaccessmanager Editor (`roles/privilegedaccessmanager.editor`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`) Support User (`roles/iam.supportUser`)
`privilegedaccessmanager.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privilegedaccessmanager Editor (`roles/privilegedaccessmanager.editor`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`privilegedaccessmanager.operations.delete`	Owner (`roles/owner`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`)
`privilegedaccessmanager.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privilegedaccessmanager Editor (`roles/privilegedaccessmanager.editor`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`) Support User (`roles/iam.supportUser`) Privileged Access Manager Settings Admin (`roles/privilegedaccessmanager.settingsAdmin`)
`privilegedaccessmanager.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privilegedaccessmanager Editor (`roles/privilegedaccessmanager.editor`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`privilegedaccessmanager.settings.fetchEffective`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privilegedaccessmanager Editor (`roles/privilegedaccessmanager.editor`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`) Support User (`roles/iam.supportUser`) Privileged Access Manager Settings Admin (`roles/privilegedaccessmanager.settingsAdmin`) Privileged Access Manager Settings Viewer (`roles/privilegedaccessmanager.settingsViewer`)
`privilegedaccessmanager.settings.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Privileged Access Manager Admin (`roles/privilegedaccessmanager.admin`) Privilegedaccessmanager Editor (`roles/privilegedaccessmanager.editor`) Privileged Access Manager Viewer (`roles/privilegedaccessmanager.viewer`) Support User (`roles/iam.supportUser`) Privileged Access Manager Settings Admin (`roles/privilegedaccessmanager.settingsAdmin`) Privileged Access Manager Settings Viewer (`roles/privilegedaccessmanager.settingsViewer`)
`privilegedaccessmanager.settings.update`	Privileged Access Manager Settings Admin (`roles/privilegedaccessmanager.settingsAdmin`)

Privileged Access Manager roles and permissions