Best practices for Privileged Access Manager

This document describes best practices for using Privileged Access Manager to controljust-in-time temporary privilege elevation with Identity and Access Management (IAM).

Manage IAM policy size

Privileged Access Manager grants time-bound access by adding aconditional IAM role binding to a resource's policy.Each active Privileged Access Manager grant consumes spaceand counts toward your standard IAM policy size limits.For more information,seeIAM quotas and limits.

If a resource's IAM policy reaches its maximum size,new Privileged Access Manager grant requests for that resource fail untilyou free space in the policy.

If you are approaching or have reached the IAM policy size limit,then you can do the following:

Revoke existing grants

Revoke active Privileged Access Manager grants that are no longer neededto remove their corresponding IAM binding from the policy andfree up space.For instructions, seeRevoke grants.

Optimize your Privileged Access Manager setup

To optimize your Privileged Access Manager entitlementsand reduce the space each grant consumes in an IAM policy,do the following:

  1. Consolidate roles within entitlements:

    1. Consolidate multiple predefined roles into fewer custom roles to reducethe space consumed.
    2. Use a single broader role—for example,roles/reader insteadof multiple service-specific reader roles.
    3. Remove redundant roles and overlapping permissions. For example, if allpermissions inRole A are also inRole B, removeRole A from theentitlement.

  2. Reduce the number and complexity of IAM conditions:

    1. If you use a list of multiple resource names inOR conditions,consider using atag condition instead.
    2. For grants using scope customization, don't use resource-name-basedfilters.

  3. Grant access at the minimum required scope.

    Following the principle of least privilege, set up Privileged Access Manager entitlements to grantaccess at the narrowest possible scope. For example, if a user only needs accessto a single Cloud Storage bucket in a project, then grant access to that bucketinstead of the entire project, folder, or organization.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.