Configure Privileged Access Manager settings
This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
As a Privileged Access Manager settings administrator, you can configure some additionalsettings for the approval workflow and notification preferences.
The settings that you configure at the organization or folder level areautomatically applied to their child resources, unless you explicitly overridethe settings at the child resource level.
You can enable service accounts as eligible approvers. Thissetting lets administrators add service accounts andidentities in workload identity pools as approvers when creating or modifying an entitlement.
You can customize resource-wide notification preferences for various Privileged Access Managerevents by selectively disabling notifications forspecific events and specific personas, or disabling all notifications.
Before you begin
To get the permissions that you need to configure Privileged Access Manager settings, ask your administrator to grant you the following IAM roles:
- Configure settings for your project, folder, or organization:PAM Settings Admin (
roles/privilegedaccessmanager.settingsAdmin) on your organization - View settings for your project, folder, or organization:PAM Settings Viewer (
roles/privilegedaccessmanager.settingsViewer) on your project, folder, or organization
These predefined roles contain the permissions required to configure Privileged Access Manager settings. To see the exact permissions that are required, expand theRequired permissions section:
Required permissions
The following permissions are required to configure Privileged Access Manager settings:
- Configure settings:
privilegedaccessmanager.settings.update - View settings:
privilegedaccessmanager.settings.getprivilegedaccessmanager.settings.fetchEffective
Enable service accounts as approvers
Console
Go to thePrivileged Access Manager page.
Select the organization, folder, or project.
Click theSettings tab.In theSettings source section,Inherit from parent is selected by default.
To override settings inherited from the parent resource on achild resource, in theService account as approver section, selectOverride inheritance.
To enable the service account as approver setting, turn on theEnable Service Account As Approver toggleand clickSave.
Note: If you disable this setting, grants that require approvals fromservice accounts won't get approved. If your entitlements haveonly service accounts as approvers, then those entitlements won't be effective.
gcloud
Thegcloud alpha pam settings update command configures additional Privileged Access Manager.
Before using any of the command data below, make the following replacements:
RESOURCE_TYPE: Optional. The resource type that you want to update the settings for. Use the valueorganization,folder, orproject.RESOURCE_ID: Used withRESOURCE_TYPE. The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.SA_AS_APPROVER: A boolean value in theserviceAccountApproverSettingsfield that indicates whether service accounts are allowed to approve grants. The default value isfalse.- If you specify the
serviceAccountApproverSettingsfield with a value, then that setting is applied to your resource. - If you specify the
serviceAccountApproverSettingsfield but leave it empty, then the default settings are applied to your resource. - If you don't specify the
serviceAccountApproverSettingsfield at all, then your resource inherits the settings from the parent resource.
If you disable this setting, the grants that require approvals from service accounts won't get approved. If your entitlements have only service accounts as approvers, those entitlements won't be effective.
- If you specify the
request.json: A file containing the modified settings. To create this file,get the existing settings, save the response in file namedrequest.json, and then modify it to use as the body of your update request. You must include the ETAG in the body to update the latest version of the settings.
Save the following content in a file calledfilename.yaml:
emailNotificationSettings:customNotificationBehavior:adminNotifications:grantActivated:NOTIFICATION_MODE_1grantActivationFailed:DISABLEDgrantEnded:ENABLEDgrantExternallyModified:ENABLEDapproverNotifications:pendingApproval:NOTIFICATION_MODE_2requesterNotifications:entitlementAssigned:ENABLEDgrantActivated:ENABLEDgrantExpired:NOTIFICATION_MODE_3grantRevoked:ENABLEDetag:'"ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md"'name:RESOURCE_TYPE/RESOURCE_ID/locations/global/settingsserviceAccountApproverSettings:enabled:SA_AS_APPROVER
Execute the following command:
Linux, macOS, or Cloud Shell
gcloudalphapamsettingsupdate\--location=global\--RESOURCE_TYPE=RESOURCE_ID\--settings-fileFILENAME.yaml
Windows (PowerShell)
gcloudalphapamsettingsupdate`--location=global`--RESOURCE_TYPE=RESOURCE_ID`--settings-fileFILENAME.yaml
Windows (cmd.exe)
gcloudalphapamsettingsupdate^--location=global^--RESOURCE_TYPE=RESOURCE_ID^--settings-fileFILENAME.yaml
You should receive a response similar to the following:
Parsed [location] resource:RESOURCE_TYPE/RESOURCE_ID/locations/globalRequest issued for: [global]Updated location [global].createTime: '2025-05-18T10:10:10.101010101Z'emailNotificationSettings: customNotificationBehavior: adminNotifications: grantActivated: ENABLED grantActivationFailed: DISABLED grantEnded: ENABLED grantExternallyModified: ENABLED approverNotifications: pendingApproval: ENABLED requesterNotifications: entitlementAssigned: ENABLED grantActivated: ENABLED grantExpired: ENABLED grantRevoked: ENABLEDetag: "ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md1"name:RESOURCE_TYPE/RESOURCE_ID/locations/global/settingsserviceAccountApproverSettings: enabled: trueupdateTime: '2025-05-18T10:10:40.101010101Z'
REST
The Privileged Access Manager API'supdateSettings method configures additional Privileged Access Manager.
Before using any of the request data, make the following replacements:
SCOPE: The organization, folder, or project that you want to update the settings for, in the format oforganizations/ORGANIZATION_ID,folders/FOLDER_ID, orprojects/PROJECT_ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.UPDATED_FIELDS: A comma-separated list of fields that need to be updated in the settings. For example,emailNotificationSettings,serviceAccountApproverSettings.To update all fields that can be modified, set the update mask to
*.SA_AS_APPROVER: A boolean value in theserviceAccountApproverSettingsfield that indicates whether service accounts are allowed to approve grants. The default value isfalse.- If you specify the
serviceAccountApproverSettingsfield with a value, then that setting is applied to your resource. - If you specify the
serviceAccountApproverSettingsfield but leave it empty, then the default settings are applied to your resource. - If you don't specify the
serviceAccountApproverSettingsfield at all, then your resource inherits the settings from the parent resource.
If you disable this setting, the grants that require approvals from service accounts won't be approved. If your entitlements have only service accounts as approvers, those entitlements aren't effective.
- If you specify the
request.json: A file containing the modified settings. To create this file,get the existing settings, save the response in file namedrequest.json, and then modify it to use as the body of your update request. You must include the ETAG in the body to update the latest version of the settings.
HTTP method and URL:
PATCH https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings?updateMask=UPDATED_FIELDS
Request JSON body:
{ "emailNotificationSettings": { "customNotificationBehavior": { "adminNotifications": { "grantActivated": "NOTIFICATION_MODE_1", "grantActivationFailed": "DISABLED", "grantEnded": "ENABLED", "grantExternallyModified": "ENABLED" }, "approverNotifications": { "pendingApproval": "NOTIFICATION_MODE_2" }, "requesterNotifications": { "entitlementAssigned": "ENABLED", "grantActivated": "ENABLED", "grantExpired": "NOTIFICATION_MODE_3", "grantRevoked": "ENABLED" } } }, "etag": "\"ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md\"", "name": "SCOPE/locations/global/settings", "serviceAccountApproverSettings": { "enabled":SA_AS_APPROVER }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings?updateMask=UPDATED_FIELDS"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings?updateMask=UPDATED_FIELDS" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "name": "SCOPE/locations/global/operations/OPERATION_ID", "metadata": { "@type": "type.googleapis.com/google.cloud.privilegedaccessmanager.v1beta.OperationMetadata", "createTime": "2024-03-25T01:55:02.544562950Z", "target": "SCOPE/locations/global/settings", "verb": "update", "requestedCancellation": false, "apiVersion": "v1beta" }, "done": false}To check on the progress of an update operation, you can send aGET request to the following endpoint:
https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/operations/OPERATION_ID
Send aGET request to the following endpoint to list all operations:
https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/operations
Terraform
You can useTerraform to configurePrivileged Access Manager settings. For more information, seegoogle_privileged_access_manager_settingsin the Terraform documentation.
Customize notification preferences
Console
Go to thePrivileged Access Manager page.
Select the organization, folder, or project.
Click theSettings tab.
In theNotifications section,Inherit from parent is selected by default.
The following table shows the default notification preferences:
Event Admin Requester Approver Entitlement assigned - ✓ - Grant requires approval - - ✓ Grants are activated ✓ ✓ - Grants are denied - ✓ - Grants are expired - ✓ - Grants have ended ✓ ✓ - Grants are revoked - ✓ - Grants are externally modified ✓ ✓ - Grants activation failed ✓ ✓ - To override settings inheritance from the parent, turn on theSend notifications for the following events toggle.
To disable notifications for the required PAM event and persona,clear the corresponding checkboxes, and clickSave.
To disable all the notifications, clearSend notifications for the following events, and clickSave.
gcloud
Thegcloud alpha pam settings update command configures additional Privileged Access Manager.
Before using any of the command data below, make the following replacements:
RESOURCE_TYPE: Optional. The resource type that you want to update the settings for. Use the valueorganization,folder, orproject.RESOURCE_ID: Used withRESOURCE_TYPE. The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.NOTIFICATION_MODE: In theemailNotificationSettingsfield, useENABLEDto send notification emails for the event, orDISABLEDto prevent them.- If you specify the
emailNotificationSettingsfield with a value, then that setting is applied to your resource. - If you specify the
emailNotificationSettingsfield but leave it empty, then the default settings are applied to your resource. - If you don't specify the
emailNotificationSettingsfield at all, then your resource inherits the settings from the parent resource.
- If you specify the
request.json: A file containing the modified settings. To create this file,get the existing settings, save the response in file namedrequest.json, and then modify it to use as the body of your update request. You must include the ETAG in the body to update the latest version of the settings.
Save the following content in a file calledfilename.yaml:
emailNotificationSettings:customNotificationBehavior:adminNotifications:grantActivated:NOTIFICATION_MODE_1grantActivationFailed:DISABLEDgrantEnded:ENABLEDgrantExternallyModified:ENABLEDapproverNotifications:pendingApproval:NOTIFICATION_MODE_2requesterNotifications:entitlementAssigned:ENABLEDgrantActivated:ENABLEDgrantExpired:NOTIFICATION_MODE_3grantRevoked:ENABLEDetag:'"ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md"'name:RESOURCE_TYPE/RESOURCE_ID/locations/global/settingsserviceAccountApproverSettings:enabled:SA_AS_APPROVER
Execute the following command:
Linux, macOS, or Cloud Shell
gcloudalphapamsettingsupdate\--location=global\--RESOURCE_TYPE=RESOURCE_ID\--settings-fileFILENAME.yaml
Windows (PowerShell)
gcloudalphapamsettingsupdate`--location=global`--RESOURCE_TYPE=RESOURCE_ID`--settings-fileFILENAME.yaml
Windows (cmd.exe)
gcloudalphapamsettingsupdate^--location=global^--RESOURCE_TYPE=RESOURCE_ID^--settings-fileFILENAME.yaml
You should receive a response similar to the following:
Parsed [location] resource:RESOURCE_TYPE/RESOURCE_ID/locations/globalRequest issued for: [global]Updated location [global].createTime: '2025-05-18T10:10:10.101010101Z'emailNotificationSettings: customNotificationBehavior: adminNotifications: grantActivated: ENABLED grantActivationFailed: DISABLED grantEnded: ENABLED grantExternallyModified: ENABLED approverNotifications: pendingApproval: ENABLED requesterNotifications: entitlementAssigned: ENABLED grantActivated: ENABLED grantExpired: ENABLED grantRevoked: ENABLEDetag: "ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md1"name:RESOURCE_TYPE/RESOURCE_ID/locations/global/settingsserviceAccountApproverSettings: enabled: trueupdateTime: '2025-05-18T10:10:40.101010101Z'
REST
The Privileged Access Manager API'supdateSettings method configures additional Privileged Access Manager.
Before using any of the request data, make the following replacements:
SCOPE: The organization, folder, or project that you want to update the settings for, in the format oforganizations/ORGANIZATION_ID,folders/FOLDER_ID, orprojects/PROJECT_ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.UPDATED_FIELDS: A comma-separated list of fields that need to be updated in the settings. For example,emailNotificationSettings,serviceAccountApproverSettings.To update all fields that can be modified, set the update mask to
*.NOTIFICATION_MODE: In theemailNotificationSettingsfield, useENABLEDto send notification emails for the event orDISABLEDto prevent them.- If you specify the
emailNotificationSettingsfield with a value, then that setting is applied to your resource. - If you specify the
emailNotificationSettingsfield but leave it empty, then the default settings are applied to your resource. - If you don't specify the
emailNotificationSettingsfield at all, then your resource inherits the settings from the parent resource.
- If you specify the
request.json: A file containing the modified settings. To create this file,get the existing settings, save the response in file namedrequest.json, and then modify it to use as the body of your update request. You must include the ETAG in the body to update the latest version of the settings.
HTTP method and URL:
PATCH https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings?updateMask=UPDATED_FIELDS
Request JSON body:
{ "emailNotificationSettings": { "customNotificationBehavior": { "adminNotifications": { "grantActivated": "NOTIFICATION_MODE_1", "grantActivationFailed": "DISABLED", "grantEnded": "ENABLED", "grantExternallyModified": "ENABLED" }, "approverNotifications": { "pendingApproval": "NOTIFICATION_MODE_2" }, "requesterNotifications": { "entitlementAssigned": "ENABLED", "grantActivated": "ENABLED", "grantExpired": "NOTIFICATION_MODE_3", "grantRevoked": "ENABLED" } } }, "etag": "\"ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md\"", "name": "SCOPE/locations/global/settings", "serviceAccountApproverSettings": { "enabled":SA_AS_APPROVER }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings?updateMask=UPDATED_FIELDS"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings?updateMask=UPDATED_FIELDS" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "name": "SCOPE/locations/global/operations/OPERATION_ID", "metadata": { "@type": "type.googleapis.com/google.cloud.privilegedaccessmanager.v1beta.OperationMetadata", "createTime": "2024-03-25T01:55:02.544562950Z", "target": "SCOPE/locations/global/settings", "verb": "update", "requestedCancellation": false, "apiVersion": "v1beta" }, "done": false}To check on the progress of an update operation, you can send aGET request to the following endpoint:
https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/operations/OPERATION_ID
Send aGET request to the following endpoint to list all operations:
https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/operations
Terraform
You can useTerraform to configurePrivileged Access Manager settings. For more information, seegoogle_privileged_access_manager_settingsin the Terraform documentation.
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.