Privileged Access Manager roles and permissions

This page lists the IAM roles and permissions for Privileged Access Manager. To search through all roles and permissions, see the role and permission index.

Role Permissions

Privileged Access Manager Admin

(roles/privilegedaccessmanager.admin)

Full access to Privileged Access Manager resources.

privilegedaccessmanager.entitlements.*

  • privilegedaccessmanager.entitlements.create
  • privilegedaccessmanager.entitlements.delete
  • privilegedaccessmanager.entitlements.get
  • privilegedaccessmanager.entitlements.list
  • privilegedaccessmanager.entitlements.setIamPolicy
  • privilegedaccessmanager.entitlements.update

privilegedaccessmanager.grants.*

  • privilegedaccessmanager.grants.get
  • privilegedaccessmanager.grants.list
  • privilegedaccessmanager.grants.revoke

privilegedaccessmanager.locations.*

  • privilegedaccessmanager.locations.checkOnboardingStatus
  • privilegedaccessmanager.locations.get
  • privilegedaccessmanager.locations.list

privilegedaccessmanager.operations.*

  • privilegedaccessmanager.operations.delete
  • privilegedaccessmanager.operations.get
  • privilegedaccessmanager.operations.list

privilegedaccessmanager.settings.fetchEffective

privilegedaccessmanager.settings.get

resourcemanager.projects.get

Privileged Access Manager Folder Service Agent

(roles/privilegedaccessmanager.folderServiceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP folders

resourcemanager.folders.get

resourcemanager.folders.getIamPolicy

resourcemanager.folders.setIamPolicy

Privileged Access Manager Organization Service Agent

(roles/privilegedaccessmanager.organizationServiceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP organizations

iam.roles.get

resourcemanager.organizations.get

resourcemanager.organizations.getIamPolicy

resourcemanager.organizations.setIamPolicy

Privileged Access Manager Project Service Agent

(roles/privilegedaccessmanager.projectServiceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP projects

iam.roles.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy

Privileged Access Manager Service Agent

(roles/privilegedaccessmanager.serviceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP resources

iam.roles.get

resourcemanager.folders.get

resourcemanager.folders.getIamPolicy

resourcemanager.folders.setIamPolicy

resourcemanager.organizations.get

resourcemanager.organizations.getIamPolicy

resourcemanager.organizations.setIamPolicy

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy

Privileged Access Manager Settings Admin Beta

(roles/privilegedaccessmanager.settingsAdmin)

Administrator of Privileged Access Manager Settings.

privilegedaccessmanager.operations.get

privilegedaccessmanager.settings.*

  • privilegedaccessmanager.settings.fetchEffective
  • privilegedaccessmanager.settings.get
  • privilegedaccessmanager.settings.update

Privileged Access Manager Settings Viewer Beta

(roles/privilegedaccessmanager.settingsViewer)

Readonly access to Privileged Access Manager Settings & Effective Settings.

privilegedaccessmanager.settings.fetchEffective

privilegedaccessmanager.settings.get

Privileged Access Manager Viewer

(roles/privilegedaccessmanager.viewer)

Readonly access to Privileged Access Manager resources.

privilegedaccessmanager.entitlements.get

privilegedaccessmanager.entitlements.list

privilegedaccessmanager.grants.get

privilegedaccessmanager.grants.list

privilegedaccessmanager.locations.get

privilegedaccessmanager.locations.list

privilegedaccessmanager.operations.get

privilegedaccessmanager.operations.list

privilegedaccessmanager.settings.fetchEffective

privilegedaccessmanager.settings.get

resourcemanager.projects.get

Privileged Access Manager permissions

Permission Included in roles

privilegedaccessmanager.entitlements.create

Owner (roles/owner)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

privilegedaccessmanager.entitlements.delete

Owner (roles/owner)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

privilegedaccessmanager.entitlements.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

Privileged Access Manager Viewer (roles/privilegedaccessmanager.viewer)

privilegedaccessmanager.entitlements.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

Privileged Access Manager Viewer (roles/privilegedaccessmanager.viewer)

privilegedaccessmanager.entitlements.setIamPolicy

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

privilegedaccessmanager.entitlements.update

Owner (roles/owner)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

privilegedaccessmanager.grants.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

Privileged Access Manager Viewer (roles/privilegedaccessmanager.viewer)

privilegedaccessmanager.grants.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

Privileged Access Manager Viewer (roles/privilegedaccessmanager.viewer)

privilegedaccessmanager.grants.revoke

Owner (roles/owner)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

privilegedaccessmanager.locations.checkOnboardingStatus

Owner (roles/owner)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

privilegedaccessmanager.locations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

Privileged Access Manager Viewer (roles/privilegedaccessmanager.viewer)

privilegedaccessmanager.locations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

Privileged Access Manager Viewer (roles/privilegedaccessmanager.viewer)

privilegedaccessmanager.operations.delete

Owner (roles/owner)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

privilegedaccessmanager.operations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

Privileged Access Manager Settings Admin (roles/privilegedaccessmanager.settingsAdmin)

Privileged Access Manager Viewer (roles/privilegedaccessmanager.viewer)

privilegedaccessmanager.operations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

Privileged Access Manager Viewer (roles/privilegedaccessmanager.viewer)

privilegedaccessmanager.settings.fetchEffective

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

Privileged Access Manager Settings Admin (roles/privilegedaccessmanager.settingsAdmin)

Privileged Access Manager Settings Viewer (roles/privilegedaccessmanager.settingsViewer)

Privileged Access Manager Viewer (roles/privilegedaccessmanager.viewer)

privilegedaccessmanager.settings.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Support User (roles/iam.supportUser)

Privileged Access Manager Admin (roles/privilegedaccessmanager.admin)

Privileged Access Manager Settings Admin (roles/privilegedaccessmanager.settingsAdmin)

Privileged Access Manager Settings Viewer (roles/privilegedaccessmanager.settingsViewer)

Privileged Access Manager Viewer (roles/privilegedaccessmanager.viewer)

privilegedaccessmanager.settings.update

Privileged Access Manager Settings Admin (roles/privilegedaccessmanager.settingsAdmin)

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.