Skip to content

Troubleshooting and FAQs

This section addresses common questions and issues you might encounter while requesting, approving, or understanding PAM entitlements.

General FAQs

1. What is a PAM entitlement?

Think of a PAM entitlement as a"package" of temporary, powerful access (like being a temporary administrator for a specific project). It defines what access you can get, how long you can have it, and who needs to approve it (if anyone).

2. Why do I need to use PAM? Can't I just have permanent access?

PAM is a security best practice! It helps protect our projects by making sure powerful access is only granted when it's actively needed, and for a limited time. This reduces the risk of accidental changes or security breaches from compromised accounts. \

3. How long can a PAM grant last?

The maximum duration for a grant is set by the specific entitlement, but it's typically for a few hours, up to a maximum of 24 hours. PAM focuses on "just-in-time" access. \

4. Can I request multiple grants at once?

You can only have one active grant for a specific entitlement at a time. If you need different types of access, you'll need to request separate grants for different entitlements.

Requesting Access Grants

1. I requested a grant, but it's not active.

Here are a few possibilities:

  • Awaiting Approval: If the entitlement requires approval, it won't be active until an approver reviews and approves your request. Check the "My grants" tab in the PAM console; its status will likely be Pending approval.

  • Expired Request: If an approver doesn't approve or deny your request within 24 hours, the request automatically expires. You'll need to submit a new request.

  • Processing Time: It can take a few minutes for a grant to become active after approval. \

2. Why can't I request a specific entitlement? The "Request grant" button is greyed out, or I get an error.

You're Not an Eligible Requester: The most common reason. You must be explicitly listed as an "Eligible Requester" for that entitlement. Check the entitlement details in the "Entitlements for all users" tab. If you believe you should be eligible, contact the AIIP Support team.

  • Already Active Grant: You might already have an active grant for that specific entitlement. Check your "My grants" tab.

  • Entitlement Disabled: The entitlement itself might be temporarily or permanently disabled by an administrator.

3. Why do I need to provide a justification for my request?

Some entitlements are configured to require a justification to help approvers understand why you need the access and for auditing purposes. Be clear and concise in your justification.

Approving Access Grants

1. I'm an approver, but I don't see any pending requests, or I can't approve a specific request.

The following are some common reasons:

  • Check the "Approve grants" tab: Make sure you're on the "Pending approval" sub-tab.

  • You're Not an Approved Approver: You must be explicitly listed as an "Approver" for that specific entitlement. Verify this in the entitlement's details. Reach out to the AIIP support team using our AIIP ticketing tool.

  • You Requested It Yourself: You cannot approve your grant requests. Another designated approver must do so.

  • Request Expired: The request might have expired if it wasn't acted upon within 24 hours. It will no longer appear as pending.

2. What happens if I deny a grant request?

The requester will be notified that their request was denied, and they will not receive the temporary privileged access. The request will be logged with a Denied status.

Understanding PAM Entitlements

1. I'm looking for an entitlement to do [specific task], but I can't find anything suitable.

Here are a few possibilities:

  • Ensure you've selected the correct project.

  • It's possible that an entitlement for your specific need hasn't been created yet, or it's named differently than you expect. Feel free to drop suggestions/recommendations by raising a ticket in our AIIP ticketing tool. We value our customers and would love to hear your feedback!

2. What do the "Roles" in an entitlement mean?

"Roles" define the specific permissions you'll gain. For example, roles/compute.admin gives you administrative control over Compute Engine resources (like VMs), while roles/storage.objectViewer only allows you to view objects in Cloud Storage. Always try to understand what each role allows you to do. Click here ⧉ to find your relevant roles.