Vous pouvez utiliser Cloud Identity, Google Workspace ou un fournisseur d'identité tiers (tel qu'Okta ou Azure AD) pour gérer les utilisateurs, les groupes et l'authentification.
Cette page explique comment utiliser Cloud Identity ou Google Workspace.
Lorsque vous utilisez Cloud Identity ou Google Workspace, vous créez des comptes utilisateur gérés pour contrôler l'accès aux ressources Google Cloud et à Google SecOps.
Vous créez des stratégies IAM qui définissent les utilisateurs et les groupes ayant accès aux fonctionnalités Google SecOps. Ces règles IAM sont définies à l'aide de rôles et d'autorisations prédéfinis fournis par Google SecOps ou de rôles personnalisés que vous créez.
Lorsque vous associez une instance Google SecOps à des services Google Cloud, configurez une connexion à un IdP Google Cloud . L'instance Google SecOps s'intègre directement à Cloud Identity ou Google Workspace pour authentifier les utilisateurs et appliquer le contrôle des accès en fonction des règles IAM que vous avez configurées.
Pour en savoir plus sur la création de comptes Cloud Identity ou Google Workspace, consultez Identités pour les utilisateurs.
Attribuer un rôle pour permettre la connexion à Google SecOps
Les étapes suivantes décrivent comment attribuer un rôle spécifique à l'aide d'IAM afin qu'un utilisateur puisse se connecter à Google SecOps. Effectuez la configuration à l'aide du projet Google Cloud lié à Google SecOps que vous avez créé précédemment.
Sauf indication contraire, le contenu de cette page est régi par une licence Creative Commons Attribution 4.0, et les échantillons de code sont régis par une licence Apache 2.0. Pour en savoir plus, consultez les Règles du site Google Developers. Java est une marque déposée d'Oracle et/ou de ses sociétés affiliées.
Dernière mise à jour le 2025/09/04 (UTC).
[[["Facile à comprendre","easyToUnderstand","thumb-up"],["J'ai pu résoudre mon problème","solvedMyProblem","thumb-up"],["Autre","otherUp","thumb-up"]],[["Difficile à comprendre","hardToUnderstand","thumb-down"],["Informations ou exemple de code incorrects","incorrectInformationOrSampleCode","thumb-down"],["Il n'y a pas l'information/les exemples dont j'ai besoin","missingTheInformationSamplesINeed","thumb-down"],["Problème de traduction","translationIssue","thumb-down"],["Autre","otherDown","thumb-down"]],["Dernière mise à jour le 2025/09/04 (UTC)."],[[["\u003cp\u003eGoogle Security Operations integrates with Cloud Identity or Google Workspace to manage user authentication and access.\u003c/p\u003e\n"],["\u003cp\u003eIAM policies are used to define which users and groups can access specific Google Security Operations features using predefined or custom roles.\u003c/p\u003e\n"],["\u003cp\u003eTo enable users to sign in to Google Security Operations, grant them the Chronicle API Viewer role using the \u003ccode\u003egcloud\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eAfter setting up user authentication, you must link the Google Security Operations instance to Google Cloud services for it to work.\u003c/p\u003e\n"],["\u003cp\u003eThis process does not configure authorization for Google Security Operation features, that is handled by IAM for feature access control.\u003c/p\u003e\n"]]],[],null,["# Configure a Google Cloud identity provider\n==========================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nYou can use Cloud Identity, Google Workspace, or a third-party identity\nprovider (such as Okta or Azure AD) to manage users, groups, and authentication.\n\nThis page describes how to use Cloud Identity or Google Workspace.\n\nWhen using Cloud Identity or Google Workspace, you create managed user accounts\nto control access to Google Cloud resources and to Google SecOps.\n\nYou create IAM policies that define which users and groups have access\nto Google SecOps features. These IAM policies\nare defined using predefined roles and permissions provided by Google SecOps\nor custom roles that you create.\n\nAs part of linking a Google SecOps instance to Google Cloud\nservices, configure a connection to a Google Cloud IdP. The\nGoogle SecOps instance integrates directly with Cloud Identity\nor Google Workspace to authenticate users and enforce access control based on\nyour configured IAM policies.\n\nSee [Identities for users](/iam/docs/user-identities#google-accounts)\nfor detailed information about creating Cloud Identity or Google Workspace accounts.\n\nGrant a role to enable sign-in to Google SecOps\n-----------------------------------------------\n\nThe following steps describe how to grant a specific role using IAM\nso that a user can sign in to Google SecOps. Perform the configuration using\nthe Google SecOps-bound Google Cloud project you created earlier.\n\n1. Grant the [Chronicle API Viewer (`roles/chronicle.viewer`)](/iam/docs/understanding-roles#chronicle.viewer)\n role to users or groups that should have access to the Google Security Operations application.\n\n | **Note:** The following examples use the `gcloud` command. To use the Google Cloud console, see [Grant a single role](/iam/docs/granting-changing-revoking-access#grant-single-role).\n | **Important:** The following examples don't configure authorization to Google SecOps features. This is done using IAM for feature access control.\n - The following example grants the Chronicle API Viewer role to to a specific group:\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --role roles/chronicle.viewer \\\n --member \"group:\u003cvar translate=\"no\"\u003eGROUP_EMAIL\u003c/var\u003e\"\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: with the project ID of the Google Security Operations-bound project you configured in [Configure a Google Cloud project for Google Security Operations](/chronicle/docs/onboard/configure-cloud-project). See [Creating and managing projects](/resource-manager/docs/creating-managing-projects) for a description of fields that identify a project.\n - \u003cvar translate=\"no\"\u003eGROUP_EMAIL\u003c/var\u003e: the email alias for the group, such as `analyst-t1@example.com`.\n - To grant the Chronicle API Viewer role to a specific user, run the following command:\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --role roles/chronicle.viewer \\\n --member \"principal:\u003cvar translate=\"no\"\u003eUSER_EMAIL\u003c/var\u003e\"\n\n Replace \u003cvar translate=\"no\"\u003eUSER_EMAIL\u003c/var\u003e: the user's user email address, such as `alice@example.com`.\n - For examples of how to grant roles to other members, such as a group or\n domain, see\n [gcloud projects add-iam-policy-binding](/sdk/gcloud/reference/projects/add-iam-policy-binding)\n and [Principal identifiers](/iam/docs/principal-identifiers) reference\n documentation.\n\n2. Configure additional IAM policies to meet your\n organization's access and security requirements.\n\n| **Note:** Custom IAM role mappings aren't supported for the SOAR side of the Google SecOps platform.\n\nWhat's next\n-----------\n\nAfter completing the steps in this document, perform the following:\n\n- Perform steps to [Link a Google Security Operations instance to Google Cloud services](/chronicle/docs/onboard/link-chronicle-cloud).\n\n- If you have not yet set up audit logging, continue with\n [enabling Google Security Operations audit logging](/chronicle/docs/preview/audit-logging/audit-logging).\n\n- If you are configuring for Google Security Operations, perform additional steps in\n [Provision, authenticate, and map users in Google Security Operations](/chronicle/docs/soar/admin-tasks/user-secops/map-users-in-the-secops-platform).\n\n- To configure access to features, perform additional steps in [Configure feature access control using IAM](/chronicle/docs/onboard/configure-feature-access) and [Google Security Operations permissions in IAM](/chronicle/docs/reference/feature-rbac-permissions-roles).\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]