Configure data RBAC for users

This page describes how data role-based access control (data RBAC) administrators can configure data RBAC within Google Security Operations. Through the creation and assignment of data scopes, which are defined by labels, you can ensure that data is only accessible to authorized users.

Data RBAC relies on IAM concepts including predefined roles, custom roles, and IAM conditions.

The following is a high-level overview of the configuration process:

1. Plan your implementation: identify the different types of data you want to restrict user access to. Identify the different roles within your organization and determine the data access requirements for each role.

2. Optional: Create custom labels: create custom labels (in addition to the default labels) to categorize your data.

3. Create data scopes: define scopes by combining relevant labels.

4. Assign scopes to users: assign scopes to user roles in IAM based on their responsibilities.

Before you begin

• To understand the core concepts of data RBAC, different access types, and the corresponding user roles, the working of labels and scopes, and the impact of data RBAC on Google SecOps features, see Overview of Data RBAC.

• Onboard your Google SecOps instance. For more information, see Onboarding or migrating a Google Security Operations instance.

• Make sure that you have the required roles.

Create and manage custom labels

Custom labels are metadata that you can add to the SIEM ingested Google SecOps data to categorize and organize it based on UDM-normalized values.

For example, consider you want to monitor network activity. You want to track Dynamic Host Configuration Protocol (DHCP) events from a specific IP address (10.0.0.1) that you suspect might be compromised.

To filter and identify these specific events, you can create a custom label with the name Suspicious DHCP Activity with the following definition:

metadata.event\_type = "NETWORK\_DHCP" AND principal.ip = "10.0.0.1"

The custom label works in the following manner:

Google SecOps continuously ingests network logs and events into its UDM. When a DHCP event is ingested, Google SecOps checks if it matches the criteria of the custom label. If the metadata.event\_type field is NETWORK\_DHCP and if the principal.ip field (the IP address of the device requesting the DHCP lease) is 10.0.0.1, Google SecOps applies the custom label to the event.

You can use the Suspicious DHCP Activity label to create a scope and assign the scope to the relevant users. The scope assignment lets you restrict access to these events to specific users or roles within your organization.

Label requirements and limitations

• Label names must be unique and can have a maximum length of 63 characters. They can contain only lowercase letters, numeric characters, and hyphens. They cannot be reused after deletion.
• Labels cannot use reference lists.
• Labels cannot use enrichment fields.

Create custom label

To create a custom label, do the following:

1. Log in to Google SecOps.

2. Click Settings > SIEM Settings > Data Access.

3. On the Custom labels tab, click Create custom label.

4. In the UDM Search window, type your query and click Run Search.

   You can refine the query and click Run Search until the results display the data that you want to label. For more information about running a query, see Enter a UDM Search.

5. Click Create label.

6. On the Create label window, select Save as new label, and enter the label name and description.

7. Click Create label.

   A new custom label is created. During data ingestion, this label is applied to data that matches the UDM query. The label is not applied to data that is already ingested.

Modify custom label

You can only modify the label description and the query associated with a label. Label names cannot be updated. When you modify a custom label, the changes are applied only to new data and not to the data that is already ingested.

To modify a label, do the following:

1. Log in to Google SecOps.

2. Click Settings > SIEM Settings > Data Access.

3. On the Custom labels tab, click more_vert Menu against the label that you want to edit and select Edit.

4. In the UDM Search window, update your query and click Run Search.

   You can refine the query and click Run Search until the results display the data that you want to label. For more information about running a query, see Enter a UDM Search.

5. Click Save changes.

The custom label is modified.

Delete custom label

Deleting a label prevents new data from being associated with it. Data that is already associated with the label remains associated with the label. After deletion, you can't recover the custom label or reuse the label name to create new labels.

1. Click Settings > SIEM Settings > Data Access.

2. In the Custom labels tab, click the more_vert Menu for the label that you want to delete and select Delete.

3. Click Delete.

4. On the confirmation window, click Confirm.

The custom label is deleted.

View custom label

To view a custom label details, do the following:

1. Click Settings > SIEM Settings > Data Access.

2. In the Custom labels tab, click more_vert Menu against the label that you want to edit and select View.

   The label details are displayed.

Create and manage scopes

You can create and manage data scopes within the Google SecOps user interface, and then assign those scopes to users or groups through IAM. You can create a scope by applying labels that define the data that a user with the scope has access to.

Create scopes

To create a scope, do the following:

1. Log in to Google SecOps.

2. Click Settings > SIEM Settings > Data Access.

3. On the Scopes tab, click Create scope.

4. In the Create new scope window, do the following:

   1. Enter Scope name and Description.

   2. In Define scope access with labels > Allow access, do the following:

      • To select the labels and their corresponding values that you want to grant users the access to, click Allow certain labels.

        In a scope definition, labels of the same type (for example, log type) are combined using the OR operator, while labels of different types (for example, log type and namespace) are combined using the AND operator. For more information about how labels define data access in scopes, see Data visibility with allow and deny labels.

      • To give access to all data, select Allow access to everything.

   3. To exclude access to some labels, select Exclude certain labels, then select the label type and the corresponding values that you want to deny users the access to.

      When multiple deny access labels are applied within a scope, access is denied if they match any of those labels.

   4. Click Test scope to verify how the labels are applied to the scope.

   5. In the UDM Search window, type your query and click Run Search.

      You can refine the query and click Run Search until the results display the data that you want to label. For more information about running a query, see Enter a UDM Search.

   6. Click Create scope.

   7. In the Create scope window, confirm the scope name and description and click Create scope.

The scope is created. You must assign the scope to users to give them access to the data in the scope.

Modify scope

You can only modify scope description and the associated labels. Scope names cannot be updated. After you update a scope, the users associated with the scope are restricted as per the new labels. The rules that are bound to the scope are not re-matched against the updated one.

To modify a scope, do the following:

1. Log in to Google SecOps.

2. Click Settings > SIEM Settings > Data Access.

3. On the Scopes tab, click more_vert Menu corresponding to the scope that you want to edit and select Edit.

4. Click edit Edit to edit the scope description.

5. In the Define scope access with labels section, update the labels and their corresponding values as required.

6. Click Test scope to verify how the new labels are applied to the scope.

7. In the UDM Search window, type your query and click Run Search.

   You can refine the query and click Run Search until the results display the data that you want to label. For more information about running a query, see Enter a UDM Search.

8. Click Save changes.

The scope is modified.

Delete scope

When a scope is deleted, users don't have access to the data associated with the scope. After deletion, the scope name cannot be reused to create new scopes.

To delete a scope, do the following:

1. Log in to Google SecOps.

2. Click Settings > SIEM Settings > Data Access.

3. On the Scopes tab, click more_vert Menu against the scope that you want to delete.

4. Click Delete.

5. In the confirmation window, click Confirm.

The scope is deleted.

View scope

To view scope details, do the following:

1. Log in to Google SecOps.

2. Click Settings > Data Access.

3. In the Scopes tab, click more_vert Menu against the scope that you want to view and select View.

The scope details are displayed.

Assign scope to users

Scope assignment is required for controlling data access for users with restricted permissions. Assigning specific scopes to users determines the data that they can view and interact with. When a user is assigned multiple scopes, they gain access to the combined data from all those scopes. You can assign the appropriate scopes to users who require global access so that the users can view and interact with all the data. To assign scopes to a user, do the following:

1. In the Google Cloud console, go to the IAM page.

   Go to IAM

2. Select the project that is bound to Google SecOps.

3. Click person_add Grant access.

4. In the New principals field, add your principal identifier as follows:

   principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/USER_EMAIL_ADDRESS

5. In the Assign roles > Select a role menu, select the required role. Click Add another role to add multiple roles. To understand which roles need to be added, see User roles.

6. To assign a scope to the user, add conditions to the Chronicle Restricted Data Access role that is assigned to the user (does not apply to global access roles).

   1. Click Add IAM condition against the Chronicle Restricted Data Access role. The Add condition window appears.

   2. Enter the condition title and the optional description.

   3. Add the condition expression.

      You can add a condition expression using either the Condition builder or the Condition editor.

      The condition builder provides an interactive interface to select the condition type, operator, and other applicable details about the expression. Add the conditions as per your requirement using the OR operators. To add scopes to the role, we recommend the following:

      1. Select Name in Condition type, Ends with in Operator, and type /<scopename> in Value.

      2. To assign multiple scopes, add more conditions using the OR operator. You can add up to 12 conditions for each role binding. To add more than 12 conditions, create multiple role bindings and add up to 12 conditions to each of these bindings.

      For more information about conditions, see Overview of IAM conditions.

   4. Click Save.

   The condition editor provides a text-based interface to manually enter an expression using CEL syntax.

   1. Enter the following expression:

      (scope-name: resource.name.endsWith(/SCOPENAME1) || resource.name.endsWith(/SCOPENAME2) || … || resource.name.endsWith(/SCOPENAME))

   2. Click Run Linter to validate the CEL syntax.

   3. Click Save.

      Note: Conditional role bindings don't override role bindings with no conditions. If a principal is bound to a role, and the role binding does not have a condition, then the principal always has that role. Adding the principal to a conditional binding for the same role has no effect.

7. Click Test changes to see how your changes affect the user access to the data.

8. Click Save.

The users can now access the data that is associated with the scopes.