Configure feature access control using IAM

Google Security Operations integrates with Google Cloud Identity and Access Management (IAM) to provide Google Security Operations-specific permissions and predefined roles. Google Security Operations administrators can control access to Google Security Operations features by creating IAM policies that bind users or groups to predefined roles or to IAM custom roles. This feature does not control access to specific UDM records or fields in a UDM record.

This document describes how Google Security Operations integrates with IAM, describes the differences from the Google Security Operations RBAC feature, provides steps to migrate a Google Security Operations instance to IAM, provides examples of how to assign permissions using IAM, and summarizes the permissions and predefined roles available in IAM.

For a detailed description of the permissions used to configure authorization in Google Security Operations and the audit logs they produce, see Permissions and API methods by resource group.

Some Google Security Operations instances may be in the process of migrating from the original feature RBAC implementation. In this document, the name Google Security Operations RBAC is used when referring to the previously available feature-based role-based access control that is configured using Google Security Operations, and not IAM. IAM is used to describe feature-based role-based access control that you configure using IAM.

Each Google Security Operations permission is associated with a Google Security Operations API resource and method. When a user or group is granted a permission, the user can access the feature in Google Security Operations and send a request using the related API method.

How Google Security Operations integrates with IAM

To use IAM, Google Security Operations must be bound to a Google Cloud project and must be configured with Google Cloud workforce identity federation as an intermediary in the authentication flow. For information about the authentication flow, see Integrate Google Security Operations with a third-party identity provider.

Google Security Operations performs the following steps to verify and control access to features:

1. After logging on to Google Security Operations, a user accesses a Google Security Operations application page. Alternatively, the user may send an API request to Google Security Operations.
2. Google Security Operations verifies the permissions granted in the IAM policies defined for that user.
3. IAM returns the authorization information. If the user accessed an application page, Google Security Operations enables access to only those features that the user has been granted access to.
4. If the user sent an API request, and does not have permission to perform the requested action, the API response includes an error. Otherwise, a standard response is returned.

Google Security Operations provides a set of predefined roles with a defines set of permissions that control whether a user can access the feature. The single IAM policy controls access to the feature using the web interface and the API.

Google Security Operations administrators create groups in their identity provider, configure the SAML application to pass group membership information in the assertion, and then associate users and groups to Google Security Operations predefined roles in IAM or to custom roles that they created.

If there are other Google Cloud services in the Google Cloud project bound to Google Security Operations, and you want to limit a user with the Project IAM Admin role to modify only the Google Security Operations resources, make sure to add IAM conditions to the allow policy. See Assign roles to users and groups for an example of how to do this.

Administrators tailor access to Google Security Operations features based on an employee's role in your organization.

Before you begin

• Make sure that you are familiar with Cloud Shell, the gcloud CLI command, and the Google Cloud console.
• Familiarize yourself with IAM, including the following concepts:
  • Overview of IAM.
  • Overview of roles and permissions, predefined roles versus custom roles, and creating custom roles.
  • IAM conditions.
• Perform all steps in Bind Google Security Operations to a Google Cloud project to set up a project that binds to Google Security Operations.
• Perform all steps in Integrate Google Security Operations with a third-party identity provider to set up authentication through a third-party identity provider (IdP).
• After binding a project to your Google Security Operations instance and configuring the instance with workforce identity federation, make sure that your Google Security Operations instance is performing as expected. See Verify or configure Google Security Operations feature access control.

Plan your implementation

You create IAM policies that support your organization's deployment requirements. You can use either Google Security Operations predefined roles or custom roles that you create.

Review the list of Google Security Operations predefined roles and permissions against your organization requirements. Identify which members of your organization should have access to each Google Security Operations feature. If your organization requires IAM policies that differ from the predefined Google Security Operations roles, create custom roles to support these requirements. For information about IAM custom roles, see Create and manage custom roles.

Summary of Google Security Operations roles and permissions

The following sections provides a high level summary

For information about Google Security Operations API methods and permissions, the UI pages where permissions are used, and information recorded in Cloud Audit Logs when the API is called, see Chronicle permissions in IAM.

The most current list of Google Security Operations permissions is in IAM permissions reference. Under the Search for a permission section, search for the term chronicle.

The most current list of predefined Google SecOps roles is in IAM basic and predefined roles reference. Under the Predefined roles section, either select the Chronicle API roles service or search for the term chronicle.

Google Security Operations predefined roles in IAM

Google Security Operations provides the following predefined roles as they appear in IAM.

Predefined role in IAM	Title	Description
roles/chronicle.admin	Google Security Operations API Admin	Full access to Google Security Operations application and API services, including global settings.
roles/chronicle.editor	Google Security Operations API Editor	Modify access to Google Security Operations application and API resources.
roles/chronicle.viewer	Google Security Operations API Viewer	Read-only access to Google Security Operations application and API resources
roles/chronicle.limitedViewer	Google Security Operations API Limited Viewer	Grants read-only access to Google Security Operations application and API resources, excluding detection engine rules and retrohunts.

Google Security Operations permissions in IAM

Google Security Operations permissions correspond one-to-one with Google Security Operations API methods. Each Google Security Operations permission enables a specific action on a specific Google Security Operations feature when using the web application or the API. Google Security Operations APIs used with IAM are in the Alpha launch stage.

Google Security Operations permission names follow the format SERVICE.FEATURE.ACTION. For example, the permission name chronicle.dashboards.edit consists of the following:

• chronicle: the Google Security Operations API service name.
• dashboards: the feature name.
• edit: the action that can be performed on the feature.

The permission name describes the action you can perform on the feature in Google Security Operations. All Google Security Operations permissions have the chronicle service name.

Assign roles to users and groups

The following sections provide example use cases for creating IAM policies. The term <project> is used to represent the project ID of the project that you bound to Google Security Operations.

After you enable the Chronicle API, the Google Security Operations predefined roles and permissions are available in IAM and you can create policies to support organization requirements.

If you have a newly created Google Security Operations instance, begin creating IAM policies to meet organization requirements.

If this is an existing Google Security Operations instance, see Migrate Google Security Operations to IAM for feature access control for information about migrating the instance to IAM.

Example: Assign the Project IAM Admin role in a dedicated project

In this example, the project is dedicated to your Google Security Operations instance. You grant the Project IAM Admin role to a user so they can grant and modify the project's IAM role bindings. The user can administer all Google Security Operations roles and permissions in the project and perform tasks granted by the Project IAM Admin role.

Assign the role using Google Cloud console

The following steps describe how to grant a role to a user using Google Cloud console.

1. Open Google Cloud console.
2. Select the project that is bound to Google Security Operations.
3. Select IAM & Admin.
4. Select Grant Access. The Grant Access to <project> appears.
5. Under the Add Principals section, enter the user email address in the New principals field.
6. Under the Assign Roles section, in the Select a role menu, select the Project IAM Admin role.
7. Click Save.
8. Open the IAM > Permissions page to verify the user was granted the correct role.

Assign the role using the Google Cloud CLI

The following example command demonstrates how to grant a user the chronicle.admin role.

gcloud projects add-iam-policy-binding PROJECT_ID  \
--member=principal://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/subject/USER_EMAIL \
--role=roles/chronicle.admin

Replace the following:

• PROJECT_ID: the project ID of the Google Security Operations-bound project you created in Binding a Google Security Operations instance to Google Cloud project. See Creating and managing projects for a description of fields that identify a project.
• WORKFORCE_POOL_ID: the identifier for the Workforce pool created for your Identity Provider.
• USER_EMAIL: the user's email address.

Example: Assign the Project IAM Admin role in a shared project

In this example, the project is used for multiple applications. It is bound to a Google Security Operations instance and runs services that are not related to Google Security Operations. For example, a Compute Engine resource used for another purpose.

In this case, you can grant the Project IAM Admin role to a user so they can grant and modify the project's IAM role bindings and configure Google Security Operations. You will also add IAM s to the role binding to limit their access to only Google Security Operations-related roles in the project. This user can only grant roles specified in the IAM condition.

For more information about IAM conditions, see Overview of IAM Conditions and Manage conditional role bindings.

Assign the role using Google Cloud console

The following steps describe how to grant a role to a user using Google Cloud console.

1. Open Google Cloud console.
2. Select the project that is bound to Google Security Operations.
3. Select IAM & Admin.
4. Select Grant Access. The Grant Access to <project> appears.
5. In the Grant Access to <project> dialog, under the Add Principals section, enter the user email address in the New Principals field.
6. Under the Assign Roles section, in the Select a role menu, select the Project IAM Admin role.
7. Click + Add IAM Condition.

8. In the Add condition dialog, enter the following information:

   1. Enter a Title for the condition.
   2. Select the Condition Editor.
   3. Enter the following condition:

   api.getAttribute(iam.googleapis.com/modifiedGrantsByRole,[]).hasOnly([roles/chronicle.googleapis.com/limitedViewer, roles/chronicle.googleapis.com/viewer, roles/chronicle.googleapis.com/editor, roles/chronicle.googleapis.com/admin])
   

   1. Click Save in the Add condition dialog.
   2. Click Save in the Grant Access to <project> dialog.
   3. Open the IAM > Permissions page to verify the user was granted the correct role.

Assign the role using the Google Cloud CLI

The following example command demonstrates how to grant a user the chronicle.admin role and apply IAM conditions.

gcloud projects add-iam-policy-binding PROJECT_ID  \
--member=principal://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/subject/USER_EMAIL \
--role=roles/chronicle.admin\
--condition=^:^'expression=api.getAttribute(iam.googleapis.com/modifiedGrantsByRole,[]).hasOnly([roles/chronicle.googleapis.com/limitedViewer, roles/chronicle.googleapis.com/viewer, roles/chronicle.googleapis.com/editor, roles/chronicle.googleapis.com/admin])':'title=Chronicle Role Admin'

Replace the following:

• PROJECT_ID: the project ID of the Google Security Operations-bound project you created in Binding a Google Security Operations instance to Google Cloud project. See Creating and managing projects for a description of fields that identify a project.
• WORKFORCE_POOL_ID: the identifier for the Workforce pool created for your Identity Provider.
• USER_EMAIL: the user's email address.

Example: Assign the Chronicle API Editor role to a user

In this situation, you want to enable a user the ability to modify access to Google Security Operations API resources.

Assign the role using Google Cloud console

1. Open Google Cloud console.
2. Select the project that is bound to Google Security Operations.
3. Select IAM & Admin.
4. Select Grant Access. The Grant Access to <project> dialog opens.
5. Under the Add Principals section, in the New principals field, enter the user email address.
6. Under the Assign Roles section, in the Select a role menu, select the Google Security Operations API Editor role.
7. Click Save in the Grant Access to <project> dialog.
8. Open the IAM > Permissions page to verify the user was granted the correct role.

Assign the role using the Google Cloud CLI

The following example command demonstrates how to grant a user the chronicle.editor role.

gcloud projects add-iam-policy-binding PROJECT_ID  \
--member=principal://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/subject/USER_EMAIL \
--role=roles/chronicle.editor

Replace the following:

• PROJECT_ID: the project ID of the Google Security Operations-bound project you created in Binding a Google Security Operations instance to Google Cloud project. See Creating and managing projects for a description of fields that identify a project.
• WORKFORCE_POOL_ID: the identifier for the Workforce pool created for your Identity Provider.
• USER_EMAIL: the user's email address.

Example: Create and assign a custom role to a group

If Google Security Operations predefined roles don't provide the group of permissions that meet your organization's use case, you can create a custom role and assign Google Security Operations permissions to that custom role. You assign the custom role to a user or group. For more information about IAM custom roles, see Create and manage custom roles.

The following steps let you create a custom role called LimitedAdmin.

1. Create a YAML or JSON file that defines the custom role, called LimitedAdmin, and the permissions granted to this role. The following is an example YAML file.

   title: "LimitedAdmin"
   description: "Admin role with some permissions removed"
   stage: "ALPHA"
   includedPermissions:
   - chronicle.collectors.create
   - chronicle.collectors.delete
   - chronicle.collectors.get
   - chronicle.collectors.list
   - chronicle.collectors.update
   - chronicle.dashboards.copy
   - chronicle.dashboards.create
   - chronicle.dashboards.delete
   - chronicle.dashboards.get
   - chronicle.dashboards.list
   - chronicle.extensionValidationReports.get
   - chronicle.extensionValidationReports.list
   - chronicle.forwarders.create
   - chronicle.forwarders.delete
   - chronicle.forwarders.generate
   - chronicle.forwarders.get
   - chronicle.forwarders.list
   - chronicle.forwarders.update
   - chronicle.instances.get
   - chronicle.instances.report
   - chronicle.legacies.legacyGetCuratedRulesTrends
   - chronicle.legacies.legacyGetRuleCounts
   - chronicle.legacies.legacyGetRulesTrends
   - chronicle.legacies.legacyUpdateFinding
   - chronicle.logTypeSchemas.list
   - chronicle.multitenantDirectories.get
   - chronicle.operations.cancel
   - chronicle.operations.delete
   - chronicle.operations.get
   - chronicle.operations.list
   - chronicle.operations.wait
   - chronicle.parserExtensions.activate
   - chronicle.parserExtensions.create
   - chronicle.parserExtensions.delete
   - chronicle.parserExtensions.generateKeyValueMappings
   - chronicle.parserExtensions.get
   - chronicle.parserExtensions.legacySubmitParserExtension
   - chronicle.parserExtensions.list
   - chronicle.parserExtensions.removeSyslog
   - chronicle.parsers.activate
   - chronicle.parsers.activateReleaseCandidate
   - chronicle.parsers.copyPrebuiltParser
   - chronicle.parsers.create
   - chronicle.parsers.deactivate
   - chronicle.parsers.delete
   - chronicle.parsers.get
   - chronicle.parsers.list
   - chronicle.parsers.runParser
   - chronicle.parsingErrors.list
   - chronicle.validationErrors.list
   - chronicle.validationReports.get
   - resourcemanager.projects.getIamPolicy
   

2. Create the custom role. The following example gcloud CLI command demonstrates how to create this custom role using the YAML file you created in the previous step.

   gcloud iam roles create ROLE_NAME \
   --project=PROJECT_ID \
   --file=YAML_FILE_NAME
   

   Replace the following:

   • PROJECT_ID: the project ID of the Google Security Operations-bound project you created in Binding a Google Security Operations instance to Google Cloud project. See Creating and managing projects for a description of fields that identify a project.
   • YAML_FILE_NAME: the name of the file you created in the previous step.
   • ROLE_NAME: the name of the custom role as defined in the YAML file.

3. Assign the custom role using the Google Cloud CLI

   The following example command demonstrates how to grant a group of users the custom role, limitedAdmin.

   gcloud projects add-iam-policy-binding PROJECT_ID \
   --member=principalSet://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/group/GROUP_ID \
   --role=projects/PROJECT_ID/roles/limitedAdmin
   

   Replace the following:

   • PROJECT_ID: the project ID of the Google Security Operations-bound project you created in Binding a Google Security Operations instance to Google Cloud project. See Creating and managing projects for a description of fields that identify a project.
   • WORKFORCE_POOL_ID: the identifier for the Workforce pool created for your identity provider.

   • GROUP_ID: the group identifier created in workforce identity federation. See Represent workforce pool users in IAM policies for information about the group identifier created in workforce identity federation. See Represent workforce pool users in IAM policies for information about the GROUP_ID.

     GROUP_ID.

Verify audit logging

User actions in Google Security Operations and requests to the Google Security Operations API are recorded as Cloud Audit Logs. To verify that logs are being written, perform the following steps:

1. Sign in to Google Security Operations as a user with privileges to access any feature. See Sign in to Google Security Operations for more information.
2. Perform an action, such as perform a Search.
3. In Google Cloud console, use the Logs Explorer to view the audit logs in the Google Security Operations-bound Cloud project. Google Security Operations audit logs have the following service name chronicle.googleapis.com.

For more information about how to view Cloud Audit Logs, see Google Security Operations audit logging information.

The following is an example log written when the user alice@example.com viewed the list of parser extensions in Google Security Operations.

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "alice@example.com"
    },
    "requestMetadata": {
      "callerIp": "private",
      "callerSuppliedUserAgent": "abc_client",
      "requestAttributes": {
        "time": "2023-03-27T21:09:43.897772385Z",
        "reason": "8uSywAYeWhxBRiBhdXRoIFVwVGljay0-REFUIGV4Y2abcdef",
        "auth": {}
      },
      "destinationAttributes": {}
    },
    "serviceName": "chronicle.googleapis.com",
    "methodName": "google.cloud.chronicle.v1main.ParserService.ListParserExtensions",
    "authorizationInfo": [
      {
        "resource": "projects/100000000000/locations/us/instances/aaaa0aa0-000A-00a0-0000-0000a0aa0a1/logTypes/-",
        "permission": "chronicle.parserExtensions.list",
        "granted": true,
        "resourceAttributes": {}
      }
    ],
    "resourceName": "projects/100000000000/locations/us/instances/aaaa0aa0-000A-00a0-0000-0000a0aa0a1/logTypes/-",
    "numResponseItems": "12",
    "request": {
      "@type": "type.googleapis.com/google.cloud.chronicle.v1main.ListParserExtensionsRequest",
      "parent": "projects/100000000000/locations/us/instances/aaaa0aa0-000A-00a0-0000-0000a0aa0a1/logTypes/-"
    },
    "response": {
      "@type": "type.googleapis.com/google.cloud.chronicle.v1main.ListParserExtensionsResponse"
    }
  },
  "insertId": "1h0b0e0a0",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "project_id": "dev-sys-server001",
      "method": "google.cloud.chronicle.v1main.ParserService.ListParserExtensions",
      "service": "chronicle.googleapis.com"
    }
  },
  "timestamp": "2023-03-27T21:09:43.744940164Z",
  "severity": "INFO",
  "logName": "projects/dev-sys-server001/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2023-03-27T21:09:44.863100753Z"
}

Migrate Google Security Operations to IAM for feature access control

Use information in these sections to migrate an existing Google Security Operations SIEM instance from the previous Google Security Operations role-based access control feature (Google Security Operations RBAC) to IAM. After you migrate to IAM, you can also audit activity on the Google Security Operations instance using Cloud Audit Logs.

Differences between Google Security Operations RBAC and IAM

Although IAM predefined role names are similar to the Google Security Operations RBAC groups, the IAM predefined roles don't provide identical feature access as Google Security Operations RBAC groups. The permissions assigned to each predefined IAM role are slightly different. For more information, see How IAM permissions map to each Google Security Operations RBAC role.

You can use Google Security Operations predefined roles as is, change the permissions defined in each predefined role, or create custom roles and assign a different set of permissions.

After you migrate the Google Security Operations instance, you manage roles, permissions, and IAM policies using IAM in Google Cloud console. The following Google Security Operations application pages are modified to direct users to Google Cloud console:

• Users & Groups
• Roles

In Google Security Operations RBAC, each permission is described by the feature name and an action. IAM permissions are described by the resource name and method. The following table illustrates the difference with two examples, one related to Dashboards and the second related to Feeds.

• Dashboard example: To control access to Dashboards, Google Security Operations RBAC provides five actions that you can perform on dashboards. IAM provides similar permissions with one additional, dashboards.list, that lets a user list available dashboards.

• Feeds example: To control access to Feeds, Google Security Operations RBAC provides seven actions that you can enable or disable. With IAM there are four: feeds.delete, feeds.create, feeds.update, and feeds.view.

Feature	Permission in Google Security Operations RBAC	IAM permission	Description of user action
Dashboards	Edit	chronicle.dashboards.edit	Edit dashboards
Dashboards	Copy	chronicle.dashboards.copy	Copy dashboards
Dashboards	Create	chronicle.dashboards.create	Create dashboards
Dashboards	Schedule	chronicle.dashboards.schedule	Schedule reports
Dashboards	Delete	chronicle.dashboards.delete	Delete reports
Dashboards	None. This is available in IAM only.	chronicle.dashboards.list	List available dashboards
Feeds	DeleteFeed	chronicle.feeds.delete	Delete a feed.
Feeds	CreateFeed	chronicle.feeds.create	Create a feed.
Feeds	UpdateFeed	chronicle.feeds.update	Update a feed.
Feeds	EnableFeed	chronicle.feeds.update	Update a feed.
Feeds	DisableFeed	chronicle.feeds.update	Update a feed.
Feeds	ListFeeds	chronicle.feeds.view	Return one or more feeds.
Feeds	GetFeed	chronicle.feeds.view	Return one or more feeds.

Steps to migrate an existing Google Security Operations instance

To enable IAM on your existing Google Security Operations instance, perform the following steps:

1. Contact your Google Security Operations representative and let them know you'd like to migrate your existing RBAC configuration to IAM. Provide your Google Security Operations representative with the following information:
   • The Project ID bound to the Google Security Operations instance. You defined this when you created this when you bound Google Security Operations to Google Cloud project.
   • Frontend path, which is part of your Google Security Operations URL.
   • The Workforce pool ID. You defined this when you configured workforce identity federation.
2. Your Google Security Operations representative will send you a file containing gcloud CLI commands. You will run these commands to migrate your existing access control policies to equivalent IAM policies.
3. Open the Google Cloud console as a user with the iam.workforcePoolAdmin role and Project Editor permissions and access the Google Security Operations-bound project. You identified or created this user when you Integrated Google Security Operations with a third-party identity provider.
4. Launch a Cloud Shell session.
5. Run the commands provided by the Google Security Operations representative to migrate your existing configuration to IAM. This creates a new IAM policy equivalent to your Google Security Operations RBAC access control configuration.
6. After you execute all commands, confirm that the IAM policies were migrated correctly in the IAM > Permissions page.
7. When you're comfortable with your IAM policies, contact your Google Security Operations representative and let them know the IAM policies have been migrated.
8. Your Google Security Operations representative will perform steps to enable IAM on your Google Security Operations instance and will contact you when this is complete.
9. Verify that you can access Google Security Operations as a user with the Google Security Operations API Admin role.
   1. Sign in to Google Security Operations as a user with the Google Security Operations API Admin predefined role. See Sign in to Google Security Operations for more information.
   2. Open the Application menu > Settings > Users & Groups page. You should see the message: *To manage users and groups, go to Identity Access Management (IAM) in the Google Cloud console. Learn more about managing users and groups*.
10. Verify the permissions for other user roles.
    1. Sign in to the Google Security Operations as a user with a different role. See Sign in to Google Security Operations for more information.
    2. Verify that available features in the application match the permissions defined in IAM.

How IAM permissions map to each Google Security Operations RBAC role

The following section summarizes each Google Security Operations predefined role in IAM and the permissions bound to each role. It also identifies which Google Security Operations RBAC role and action it is similar to.

Chronicle API Limited Viewer

This role grants read-only access to the Google Security Operations application and API resources, excluding detection engine rules and retrohunts. The role name is chronicle.limitedViewer.

The following permissions are available in the Google Security Operations API Limited Viewer predefined role in IAM.

IAM Permission	Equivalent permission mapped to to the following Google Security Operations RBAC role
chronicle.instances.get	This is available in IAM only.
chronicle.dashboards.get	This is available in IAM only.
chronicle.dashboards.list	This is available in IAM only.
chronicle.multitenantDirectories.get	This is available in IAM only.
chronicle.logs.list	This is available in IAM only.

Chronicle API Viewer

This role provides read-only access to the Google Security Operations application and API resources. The role name is chronicle.viewer.

The following permissions are available in the Google Security Operations API Viewer predefined role in IAM.

Chronicle API Editor

This role enables users to modify access to Google Security Operations application and API resources. The role name is chronicle.editor.

The following permissions are available in the Google Security Operations API Editor predefined role in IAM.

Chronicle API Admin

This role provides full access to the Google Security Operations application and API services, including global settings. The role name is chronicle.admin.

The following permissions are available in the Google Security Operations API Admin predefined role in IAM.