View and export Privileged Access Manager settings

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

As a Privileged Access Manager settings viewer, you can view the Privileged Access Managersettings for an organization, folder, or project.You can also export settingsprogrammatically using the Google Cloud CLI.

Before you begin

To get the permissions that you need to view Privileged Access Manager settings, ask your administrator to grant you the following IAM roles on the organization, folder, or project:

For more information about granting roles, seeManage access to projects, folders, and organizations.

These predefined roles contain the permissions required to view Privileged Access Manager settings. To see the exact permissions that are required, expand theRequired permissions section:

Required permissions

The following permissions are required to view Privileged Access Manager settings:

  • To view settings:
    • privilegedaccessmanager.settings.get
    • privilegedaccessmanager.settings.fetchEffective

You might also be able to get these permissions withcustom roles or otherpredefined roles.

View settings

Console

  1. Go to thePrivileged Access Manager page.

    Go to Privileged Access Manager

  2. Select the organization, folder, or project that you want to viewPrivileged Access Manager settings for.

  3. Click theSettings tab.

TheSettings page displays the Privileged Access Manager settings details for theselected resource.

gcloud

You can view the following settings for a resource:

  • Individual settings that are directly set on the resource.

  • Effective settings that are set on the resource or inheritedfrom its parent resource.

    View individual settings for a resource

    Thegcloud alpha pam settings describe command views Privileged Access Manager settings.

    Before using any of the command data below, make the following replacements:

    • RESOURCE_TYPE: Optional. The resource type that you want to retrieve the settings for. Use the valueorganization,folder, orproject.
    • RESOURCE_ID: Used withRESOURCE_TYPE. The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.

    Execute the following command:

    Linux, macOS, or Cloud Shell

    gcloudalphapamsettingsdescribe\--location=global\--RESOURCE_TYPE=RESOURCE_ID\

    Windows (PowerShell)

    gcloudalphapamsettingsdescribe`--location=global`--RESOURCE_TYPE=RESOURCE_ID`

    Windows (cmd.exe)

    gcloudalphapamsettingsdescribe^--location=global^--RESOURCE_TYPE=RESOURCE_ID^

    You should receive a response similar to the following:

    createTime: '2025-05-18T10:10:10.101010101Z'emailNotificationSettings:  customNotificationBehavior:    adminNotifications:      grantActivated: ENABLED      grantActivationFailed: DISABLED      grantEnded: ENABLED      grantExternallyModified: ENABLED    approverNotifications:      pendingApproval: ENABLED    requesterNotifications:      entitlementAssigned: ENABLED      grantActivated: ENABLED      grantExpired: ENABLED      grantRevoked: ENABLEDetag: "ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md"name:RESOURCE_TYPE/RESOURCE_ID/locations/global/settingsserviceAccountApproverSettings:  enabled: trueupdateTime: '2025-05-18T10:10:10.101010101Z'

    View effective settings on a resource

    Thegcloud alpha pam settings describe-effective command views Privileged Access Manager settings.

    Before using any of the command data below, make the following replacements:

    • RESOURCE_TYPE: Optional. The resource type that you want to retrieve the settings for. Use the valueorganization,folder, orproject.
    • RESOURCE_ID: Used withRESOURCE_TYPE. The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.

    Execute the following command:

    Linux, macOS, or Cloud Shell

    gcloudalphapamsettingsdescribe-effective\--location=global\--RESOURCE_TYPE=RESOURCE_ID\

    Windows (PowerShell)

    gcloudalphapamsettingsdescribe-effective`--location=global`--RESOURCE_TYPE=RESOURCE_ID`

    Windows (cmd.exe)

    gcloudalphapamsettingsdescribe-effective^--location=global^--RESOURCE_TYPE=RESOURCE_ID^

    You should receive a response similar to the following:

    emailNotificationSettings:  customNotificationBehavior:    adminNotifications:      notifyGrantActivated: true      notifyGrantActivationFailed: true      notifyGrantEnded: true      notifyGrantExternallyModified: true    approverNotifications:      notifyPendingApproval: true    requesterNotifications:      notifyEntitlementAssigned: true      notifyEntitlementUpdated: true      notifyGrantActivated: true      notifyGrantActivationFailed: true      notifyGrantEnded: true      notifyGrantExpired: true      notifyGrantExternallyModified: true      notifyGrantRevoked: trueparent:RESOURCE_TYPE/RESOURCE_ID/locations/globalserviceAccountApproverSettings: {}

REST

You can view the following settings for a resource:

  • Individual settings that are directly set on the resource.

  • Effective settings that are set on the resource or inheritedfrom its parent resource.

    View individual settings for a resource

    The Privileged Access Manager API'sgetSettings method views Privileged Access Manager settings.

    Before using any of the request data, make the following replacements:

    • SCOPE: The organization, folder, or project that you want to retrieve the settings for, in the format oforganizations/ORGANIZATION_ID,folders/FOLDER_ID, orprojects/PROJECT_ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.

    HTTP method and URL:

    GET https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings

    To send your request, expand one of these options:

    curl (Linux, macOS, or Cloud Shell)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

    Execute the following command:

    curl -X GET \
         -H "Authorization: Bearer $(gcloud auth print-access-token)" \
         "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings"

    PowerShell (Windows)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

    Execute the following command:

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }

    Invoke-WebRequest `
        -Method GET `
        -Headers $headers `
        -Uri "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/settings" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    {  "createTime": "2025-05-18T10:10:10.101010101Z",  "emailNotificationSettings": {    "customNotificationBehavior": {      "adminNotifications": {        "grantActivated": "ENABLED",        "grantActivationFailed": "DISABLED",        "grantEnded": "ENABLED",        "grantExternallyModified": "ENABLED"      },      "approverNotifications": {        "pendingApproval": "ENABLED"      },      "requesterNotifications": {        "entitlementAssigned": "ENABLED",        "grantActivated": "ENABLED",        "grantExpired": "ENABLED",        "grantRevoked": "ENABLED"      }    }  },  "etag": "\"ZjlkNWZlMWUtNDlhYS00YjJjAYlzNWYtZWFkNGVjOWU3NWMkBwYRsottW5Md\"",  "name": "SCOPE/locations/global/settings",  "serviceAccountApproverSettings": {    "enabled": true  },  "updateTime": "2025-05-18T10:10:10.101010101Z"}

    View effective settings on a resource

    The Privileged Access Manager API'sfetchEffectiveSettings method views Privileged Access Manager settings.

    Before using any of the request data, make the following replacements:

    • SCOPE: The organization, folder, or project that you want to retrieve the settings for, in the format oforganizations/ORGANIZATION_ID,folders/FOLDER_ID, orprojects/PROJECT_ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.

    HTTP method and URL:

    GET https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global:effectiveSettings

    To send your request, expand one of these options:

    curl (Linux, macOS, or Cloud Shell)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

    Execute the following command:

    curl -X GET \
         -H "Authorization: Bearer $(gcloud auth print-access-token)" \
         "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global:effectiveSettings"

    PowerShell (Windows)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

    Execute the following command:

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }

    Invoke-WebRequest `
        -Method GET `
        -Headers $headers `
        -Uri "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global:effectiveSettings" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    {  "emailNotificationSettings": {    "customNotificationBehavior": {      "adminNotifications": {        "notifyGrantActivated": "true",        "notifyGrantActivationFailed": "true",        "notifyGrantEnded": "true",        "notifyGrantExternallyModified": "true"      },      "approverNotifications": {        "notifyPendingApproval": "true"      },      "requesterNotifications": {        "notifyEntitlementAssigned": "true",        "notifyEntitlementUpdated": "true",        "notifyGrantActivated": "true",        "notifyGrantActivationFailed": "true",        "notifyGrantEnded": "true",        "notifyGrantExpired": "true",        "notifyGrantExternallyModified": "true",        "notifyGrantRevoked": "true"      }    }  },  "parent": "SCOPE/locations/global",  "serviceAccountApproverSettings": {}}

Export settings programmatically using the gcloud CLI

Thegcloud alpha pam settings export command retrieves and exports the settings for a specific resource.

Before using any of the command data below, make the following replacements:

  • FILENAME: The filename to export the settings contents to.
  • RESOURCE_TYPE: Optional. The resource type that the corresponding resource belongs to. Use the valueorganization,folder, orproject.
  • RESOURCE_ID: Used withRESOURCE_TYPE. The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudalphapamsettingsexport\--destination=FILENAME.yaml\--location=global\--RESOURCE_TYPE=RESOURCE_ID

Windows (PowerShell)

gcloudalphapamsettingsexport`--destination=FILENAME.yaml`--location=global`--RESOURCE_TYPE=RESOURCE_ID

Windows (cmd.exe)

gcloudalphapamsettingsexport^--destination=FILENAME.yaml^--location=global^--RESOURCE_TYPE=RESOURCE_ID

You should receive a response similar to the following:

Exported [RESOURCE_TYPE/RESOURCE_ID/locations/global/settings] toFILENAME.yaml.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.