You can use Privileged Access Manager (PAM) to control just-in-time temporary privilegeelevation for select principals, and toview audit logsafterwards to find out who had access to what and when.

To allow temporary elevation, youcreate anentitlementin Privileged Access Manager, and add the following attributes to it:

• A set of principals who are allowed to request a grant against theentitlement.

• Whether a justification is required for that grant.

• A set ofroles to temporarily grant.IAM conditions can be set onthe roles.

• The maximum duration a grant can last.

• Optional: Whether requests needapproval from a select set of principals,and whether those principals need to justify their approval.

• Optional: Additional stakeholders to be notified about important events,such as grants and pending approvals.

A principal that's been added as a requester to an entitlement canrequest a grant against that entitlement.If successful, they are granted the roles listed in the entitlementuntil the end of the grant duration, after which the roles are revoked byPrivileged Access Manager.

Use cases

To effectively use Privileged Access Manager, start by identifying specific use casesand scenarios where it can address your organization's needs. Tailor yourPrivileged Access Manager entitlements based on these use cases and necessaryrequirements and controls. This involves mapping out the users, roles,resources, and durations involved, along with any necessary justifications andapprovals.

While Privileged Access Manager can be used as a general best practice to granttemporary rather than permanent privileges, here are some scenarios where it maybe commonly used:

• Grant emergency access: Allow select emergency responders to perform criticaltasks without having to wait for approval. You can mandate justifications foradditional context on why the emergency access is needed.

• Control access to sensitive resources: Tightly control access to sensitiveresources, requiring approvals and business justifications. Privileged Access Managercan also be used to audit how this access was used—for example, whengranted roles were active for a user, which resources were accessible duringthat time, the justification for access, and who approved it.

  For example, you can use Privileged Access Manager to do the following:

  • Give developers temporary access to production environments fortroubleshooting or deployments.

  • Give support engineers access to sensitive customer data for specifictasks.

  • Give database administrators elevated privileges for maintenance orconfiguration changes.

• Implement granular least privilege: Assigning administrative roles orbroad access to all users can increase the attack surface. To prevent this,administrators can assign least privilege permanent roles and usePrivileged Access Manager to provide temporary, time-bound elevated access forspecific tasks when needed. Administrators can createentitlements with tag-based conditions and enforce requesters to create grantrequests with customized scope and withdrawgrants after the task is completed. This significantly reduces opportunitiesfor misuse and reinforces the principle of "just-in-time" access.

• Automate privileged access approvals: To enhance efficiency, you canconfigure service accounts as approvers withinyour DevOps pipelines. These accounts can automate programmatic approvals byvalidating tickets directly from ITSM systems, thereby eliminating slow manualchecks.

• Help secure service accounts: Instead of permanently granting roles toservice accounts, allow service accounts to self-elevate and assume roles onlywhen needed for automated tasks.

• Mitigate insider threats and accidental misuse: With multi-party approvals,you can add two levels of approvals in decision making. This reduces therisk associated with a single administrator or a compromised approver accountapproving a malicious access request.

• Manage access for contractors and extended workforce: Grant contractors ormembers of the extended workforce temporary, time-bound access to resources,with approvals and justifications required.

Capabilities and limitations

The following sections describe the different capabilities and limitations ofPrivileged Access Manager.

Supported resources

Privileged Access Manager supports creating entitlements and requesting grants forprojects, folders, and organizations.

If you want to limit access to a subset of resources within a project, folder,or organization, you can addIAMConditions to the entitlement.Privileged Access Manager supports all condition attributes that are supportedin allow policy role bindings.

Note: In Privileged Access Manager entitlements, using conditions that check thetags for a resource is inpreview.

Supported roles

Privileged Access Manager supportspredefined roles,custom roles, and the Admin, Writer, andReaderBasic roles. Privileged Access Managerdoesn't supportlegacy basic roles(Owner, Editor, and Viewer).

Supported identities

Privileged Access Manager supports all types of identities, includingCloud Identity,Workforce Identity Federation,andWorkload Identity Federation.

Audit logging

Privileged Access Manager events, such as creation of entitlements, requisition orreview of grants, are logged toCloud Audit Logs. Fora complete list of events that Privileged Access Manager generates logs for,see thePrivileged Access Manager audit loggingdocumentation. To learnhow to view these logs, seeAudit entitlement and grant events inPrivileged Access Manager.

Multi-level and multi-party approvals

Preview — Multi-level and multi-party approvals

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Note: This feature is available with either theEnterprise or Premium tier of Security Command Center.

Privileged Access Manager administrators can set upmulti-level and multi-party approvals. This is useful for use cases that involvethe following:

• High-risk operations such as modifying criticalinfrastructure or accessing sensitive data
• Enforcing of segregation of duties
• Automating multi-level approval processes in dynamic workflowsusing service accounts as intelligent approvers

With this feature, Privileged Access Manager administrators can mandate more than oneapproval level per entitlement, allowing upto two levels of sequential approvals for each entitlement. Administrators canmandate up to five approvals per level. For more information, seeCreate entitlements.

Scope customization

Preview — Scope customization

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Note: This feature is available with either theEnterprise or Premium tier of Security Command Center.

Requesters can customize the scope of their grant requests to include only thespecific roles and resources that they need within the scope of theirentitlement. For more information, seeRequest temporary elevated access.

Service account approvals

Preview — Service account approvals

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Privileged Access Manager administrators can enable service accountsas eligible approvers. This lets administrators add service accountsandidentities in workload identity poolsas approvers when creating or modifyingentitlements. For more information,seeConfigure Privileged Access Manager settings.

Inheritance support

Preview — Inheritance support

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Entitlements and grants that are set up at theorganization- or folder-level arevisible from their descendent folders and projects in the Google Cloud console.Requesters can request access to the child resources based on those entitlementsdirectly within those child resources. For more information,seeRequest temporary elevated access with Privileged Access Manager.

Notification preferences customization

Preview — Notification preferences customization

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Privileged Access Manager settings administratorscan customize resource-wide notification preferences for various Privileged Access Managerevents. These settings let administrators selectively disable notifications forspecific events and specific personas, or disable all notifications. For more information,seeConfigure Privileged Access Manager settings.

Grant withdrawal

Preview — Grant withdrawal

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Requesters can withdraw grant requests that are pending approval or endtheir active grants when their privileged task is complete or when the access isno longer required. Organizations can recommend this as a best practice to limit theduration of privileged access to only the time it's actively needed. For moreinformation, seeWithdraw grants.

Grant retention

Grants are automatically deleted from Privileged Access Manager30 days after they are denied, revoked, withdrawn, expired,or ended. Logs for grants are kept in Cloud Audit Logs for thelog retention duration of the_Required bucket.To learn how to view these logs, seeAudit entitlement and grant events in Privileged Access Manager.

Privileged Access Manager and IAM policy modifications

Privileged Access Manager manages temporary access by adding and removingrole bindings from resources' IAMpolicies. If these role bindings are modified by something other thanPrivileged Access Manager, then Privileged Access Manager might not work as expected.

To avoid this issue, we recommend doing the following:

• Don't manually modify role bindings that are managed by Privileged Access Manager.
• If you useTerraform to manage yourIAM policies, ensure that you're usingnon-authoritative resourcesinstead of authoritative resources. This helps ensure that Terraform won'toverridePrivileged Access Manager role bindings, even if they aren't in the declarativeIAM policy configuration.

Notifications

Privileged Access Manager can notify you about various events happening inPrivileged Access Manager as described in the following sections.

Email notifications

Privileged Access Manager sends emails notifications to the relevant stakeholdersfor an entitlement and grant changes. The sets of recipients are as follows:

• Eligible requesters of an entitlement:

  • Email addresses of Cloud Identity users andgroupsspecified as requesters in the entitlement.
  • Manually configured email addresses in the entitlement: When usingGoogle Cloud console, these email addresses are listed in theRequester email recipientsfield in theAdd requesters section. When usingthe gcloud CLI or the REST API, these email addresses are listedin therequesterEmailRecipients field.

• Grant approvers for an entitlement:

  • Email addresses of Cloud Identity users and groups specified as approversin the approval level.
  • Manually configured email addresses in the entitlement: When using theGoogle Cloud console, these email addresses are listed in theApproval email recipients field in theAdd approvers section. When using thegcloud CLI or the REST API, these email addresses are listed intheapproverEmailRecipients field of the approval workflow steps.

• Administrator of the entitlement:

  • Manually configured email addresses in the entitlement: When using theGoogle Cloud console, these email addresses are listed in theAdmin email recipients fieldin theEntitlement detailssection. When using the gcloud CLI or theREST API, these email addresses are listed in theadminEmailRecipientsfield.

• Requester of a grant:

  • Email address of the grant requester if they are a Cloud Identity user.
  • Additional email addresses added by the requester while requesting thegrant: When using Google Cloud console, these email addresses are listedin theAdditional email address(es) field. Whenusing gcloud CLI or the REST API, these email addressesare listed in theadditionalEmailRecipients field.

Privileged Access Manager sends emails to these email addresses for the followingevents:

Recipients	Event
Eligible requesters of an entitlement	When the entitlement is assigned and available for use to the requester
Grant approvers for an entitlement	When a grant is requested and it requires approval
Requester of a grant	When the grant is successfully activated or fails to be activated When the grant ends When the grant is denied When the grant expires (it was not approved or denied within 24 hours) When the grant revoked
Administrator of the entitlement	When the grant is successfully activated or fails to be activated When the grant ends

Pub/Sub notifications

Privileged Access Manager is integrated withCloud Asset Inventory.You can useCloud Asset Inventory feedsfeature to receive notifications about all grant changes throughPub/Sub. The asset type to use for grants isprivilegedaccessmanager.googleapis.com/Grant.

What's next

• Privileged Access Manager permissions and setup