Configure feature access control using IAM
Google Security Operations integrates with Google Cloud Identity and Access Management (IAM) to provide Google Security Operations-specific permissions and predefined roles. Google Security Operations administrators can control access to Google Security Operations features by creating IAM policies that bind users or groups to predefined roles or to IAM custom roles. This feature does not control access to specific UDM records or fields in a UDM record.
This document describes how Google Security Operations integrates with IAM, describes the differences from the Google Security Operations RBAC feature, provides steps to migrate a Google Security Operations instance to IAM, provides examples of how to assign permissions using IAM, and summarizes the permissions and predefined roles available in IAM.
For a detailed description of the permissions used to configure authorization in Google Security Operations and the audit logs they produce, see Permissions and API methods by resource group.
Some Google Security Operations instances may be in the process of migrating from the original feature RBAC implementation. In this document, the name Google Security Operations RBAC is used when referring to the previously available feature-based role-based access control that is configured using Google Security Operations, and not IAM. IAM is used to describe feature-based role-based access control that you configure using IAM.
Each Google Security Operations permission is associated with a Google Security Operations API resource and method. When a user or group is granted a permission, the user can access the feature in Google Security Operations and send a request using the related API method.
How Google Security Operations integrates with IAM
To use IAM, Google Security Operations must be bound to a Google Cloud project and must be configured with Google Cloud workforce identity federation as an intermediary in the authentication flow. For information about the authentication flow, see Integrate Google Security Operations with a third-party identity provider.
Google Security Operations performs the following steps to verify and control access to features:
- After logging on to Google Security Operations, a user accesses a Google Security Operations application page. Alternatively, the user may send an API request to Google Security Operations.
- Google Security Operations verifies the permissions granted in the IAM policies defined for that user.
- IAM returns the authorization information. If the user accessed an application page, Google Security Operations enables access to only those features that the user has been granted access to.
- If the user sent an API request, and does not have permission to perform the requested action, the API response includes an error. Otherwise, a standard response is returned.
Google Security Operations provides a set of predefined roles with a defines set of permissions that control whether a user can access the feature. The single IAM policy controls access to the feature using the web interface and the API.
Google Security Operations administrators create groups in their identity provider, configure the SAML application to pass group membership information in the assertion, and then associate users and groups to Google Security Operations predefined roles in IAM or to custom roles that they created.
If there are other Google Cloud services in the Google Cloud project bound to Google Security Operations, and you want to limit a user with the Project IAM Admin role to modify only the Google Security Operations resources, make sure to add IAM conditions to the allow policy. See Assign roles to users and groups for an example of how to do this.
Administrators tailor access to Google Security Operations features based on an employee's role in your organization.
Before you begin
- Make sure that you are familiar with Cloud Shell, the gcloud CLI command, and the Google Cloud console.
- Familiarize yourself with IAM, including the following concepts:
- Overview of IAM.
- Overview of roles and permissions, predefined roles versus custom roles, and creating custom roles.
- IAM conditions.
- Perform all steps in Bind Google Security Operations to a Google Cloud project to set up a project that binds to Google Security Operations.
- Perform all steps in Integrate Google Security Operations with a third-party identity provider to set up authentication through a third-party identity provider (IdP).
- After binding a project to your Google Security Operations instance and configuring the instance with workforce identity federation, make sure that your Google Security Operations instance is performing as expected. See Verify or configure Google Security Operations feature access control.
Plan your implementation
You create IAM policies that support your organization's deployment requirements. You can use either Google Security Operations predefined roles or custom roles that you create.
Review the list of Google Security Operations predefined roles and permissions against your organization requirements. Identify which members of your organization should have access to each Google Security Operations feature. If your organization requires IAM policies that differ from the predefined Google Security Operations roles, create custom roles to support these requirements. For information about IAM custom roles, see Create and manage custom roles.
Summary of Google Security Operations roles and permissions
The following sections provides a high level summary
For information about Google Security Operations API methods and permissions, the UI pages where permissions are used, and information recorded in Cloud Audit Logs when the API is called, see Chronicle permissions in IAM.
The most current list of Google Security Operations permissions is in
IAM permissions reference. Under the
Search for a permission section, search for the term chronicle
.
The most current list of predefined Google SecOps roles is in
IAM basic and predefined roles reference. Under
the Predefined roles section, either select the Chronicle API roles service
or search for the term chronicle
.
Google Security Operations predefined roles in IAM
Google Security Operations provides the following predefined roles as they appear in IAM.
Predefined role in IAM | Title | Description |
---|---|---|
roles/chronicle.admin |
Google Security Operations API Admin | Full access to Google Security Operations application and API services, including global settings. |
roles/chronicle.editor |
Google Security Operations API Editor | Modify access to Google Security Operations application and API resources. |
roles/chronicle.viewer |
Google Security Operations API Viewer | Read-only access to Google Security Operations application and API resources |
roles/chronicle.limitedViewer |
Google Security Operations API Limited Viewer | Grants read-only access to Google Security Operations application and API resources, excluding detection engine rules and retrohunts. |
Google Security Operations permissions in IAM
Google Security Operations permissions correspond one-to-one with Google Security Operations API methods. Each Google Security Operations permission enables a specific action on a specific Google Security Operations feature when using the web application or the API. Google Security Operations APIs used with IAM are in the Alpha launch stage.
Google Security Operations permission names follow the format SERVICE.FEATURE.ACTION
.
For example, the permission name chronicle.dashboards.edit
consists of the
following:
chronicle
: the Google Security Operations API service name.dashboards
: the feature name.edit
: the action that can be performed on the feature.
The permission name describes the action you can perform on the feature in
Google Security Operations. All Google Security Operations permissions have the chronicle
service name.
Assign roles to users and groups
The following sections provide example use cases for creating IAM
policies. The term <project>
is used to represent the project ID of the project
that you bound to Google Security Operations.
After you enable the Chronicle API, the Google Security Operations predefined roles and permissions are available in IAM and you can create policies to support organization requirements.
If you have a newly created Google Security Operations instance, begin creating IAM policies to meet organization requirements.
If this is an existing Google Security Operations instance, see Migrate Google Security Operations to IAM for feature access control for information about migrating the instance to IAM.
Example: Assign the Project IAM Admin role in a dedicated project
In this example, the project is dedicated to your Google Security Operations instance. You grant the Project IAM Admin role to a user so they can grant and modify the project's IAM role bindings. The user can administer all Google Security Operations roles and permissions in the project and perform tasks granted by the Project IAM Admin role.
Assign the role using Google Cloud console
The following steps describe how to grant a role to a user using Google Cloud console.
- Open Google Cloud console.
- Select the project that is bound to Google Security Operations.
- Select IAM & Admin.
- Select Grant Access. The Grant Access to
<project>
appears. - Under the Add Principals section, enter the user email address in the New principals field.
- Under the Assign Roles section, in the Select a role menu, select the Project IAM Admin role.
- Click Save.
- Open the IAM > Permissions page to verify the user was granted the correct role.
Assign the role using the Google Cloud CLI
The following example command demonstrates how to grant a user the chronicle.admin
role.
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=principal://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/subject/USER_EMAIL \
--role=roles/chronicle.admin
Replace the following:
PROJECT_ID
: the project ID of the Google Security Operations-bound project you created in Binding a Google Security Operations instance to Google Cloud project. See Creating and managing projects for a description of fields that identify a project.WORKFORCE_POOL_ID
: the identifier for the Workforce pool created for your Identity Provider.USER_EMAIL
: the user's email address.
Example: Assign the Project IAM Admin role in a shared project
In this example, the project is used for multiple applications. It is bound to a Google Security Operations instance and runs services that are not related to Google Security Operations. For example, a Compute Engine resource used for another purpose.
In this case, you can grant the Project IAM Admin role to a user so they can grant and modify the project's IAM role bindings and configure Google Security Operations. You will also add IAM s to the role binding to limit their access to only Google Security Operations-related roles in the project. This user can only grant roles specified in the IAM condition.
For more information about IAM conditions, see Overview of IAM Conditions and Manage conditional role bindings.
Assign the role using Google Cloud console
The following steps describe how to grant a role to a user using Google Cloud console.
- Open Google Cloud console.
- Select the project that is bound to Google Security Operations.
- Select IAM & Admin.
- Select Grant Access. The Grant Access to
<project>
appears. - In the Grant Access to
<project>
dialog, under the Add Principals section, enter the user email address in the New Principals field. - Under the Assign Roles section, in the Select a role menu, select the Project IAM Admin role.
- Click + Add IAM Condition.
In the Add condition dialog, enter the following information:
- Enter a Title for the condition.
- Select the Condition Editor.
- Enter the following condition:
api.getAttribute(iam.googleapis.com/modifiedGrantsByRole,[]).hasOnly([roles/chronicle.googleapis.com/limitedViewer, roles/chronicle.googleapis.com/viewer, roles/chronicle.googleapis.com/editor, roles/chronicle.googleapis.com/admin])
- Click Save in the Add condition dialog.
- Click Save in the Grant Access to
<project>
dialog. - Open the IAM > Permissions page to verify the user was granted the correct role.
Assign the role using the Google Cloud CLI
The following example command demonstrates how to grant a user the chronicle.admin
role and apply IAM conditions.
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=principal://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/subject/USER_EMAIL \
--role=roles/chronicle.admin\
--condition=^:^'expression=api.getAttribute(iam.googleapis.com/modifiedGrantsByRole,[]).hasOnly([roles/chronicle.googleapis.com/limitedViewer, roles/chronicle.googleapis.com/viewer, roles/chronicle.googleapis.com/editor, roles/chronicle.googleapis.com/admin])':'title=Chronicle Role Admin'
Replace the following:
PROJECT_ID
: the project ID of the Google Security Operations-bound project you created in Binding a Google Security Operations instance to Google Cloud project. See Creating and managing projects for a description of fields that identify a project.WORKFORCE_POOL_ID
: the identifier for the Workforce pool created for your Identity Provider.USER_EMAIL
: the user's email address.
Example: Assign the Chronicle API Editor role to a user
In this situation, you want to enable a user the ability to modify access to Google Security Operations API resources.
Assign the role using Google Cloud console
- Open Google Cloud console.
- Select the project that is bound to Google Security Operations.
- Select IAM & Admin.
- Select Grant Access. The Grant Access to
<project>
dialog opens. - Under the Add Principals section, in the New principals field, enter the user email address.
- Under the Assign Roles section, in the Select a role menu, select the Google Security Operations API Editor role.
- Click Save in the Grant Access to
<project>
dialog. - Open the IAM > Permissions page to verify the user was granted the correct role.
Assign the role using the Google Cloud CLI
The following example command demonstrates how to grant a user the chronicle.editor
role.
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=principal://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/subject/USER_EMAIL \
--role=roles/chronicle.editor
Replace the following:
PROJECT_ID
: the project ID of the Google Security Operations-bound project you created in Binding a Google Security Operations instance to Google Cloud project. See Creating and managing projects for a description of fields that identify a project.WORKFORCE_POOL_ID
: the identifier for the Workforce pool created for your Identity Provider.USER_EMAIL
: the user's email address.
Example: Create and assign a custom role to a group
If Google Security Operations predefined roles don't provide the group of permissions that meet your organization's use case, you can create a custom role and assign Google Security Operations permissions to that custom role. You assign the custom role to a user or group. For more information about IAM custom roles, see Create and manage custom roles.
The following steps let you create a custom role called LimitedAdmin
.
Create a YAML or JSON file that defines the custom role, called
LimitedAdmin
, and the permissions granted to this role. The following is an example YAML file.title: "LimitedAdmin" description: "Admin role with some permissions removed" stage: "ALPHA" includedPermissions: - chronicle.collectors.create - chronicle.collectors.delete - chronicle.collectors.get - chronicle.collectors.list - chronicle.collectors.update - chronicle.dashboards.copy - chronicle.dashboards.create - chronicle.dashboards.delete - chronicle.dashboards.get - chronicle.dashboards.list - chronicle.extensionValidationReports.get - chronicle.extensionValidationReports.list - chronicle.forwarders.create - chronicle.forwarders.delete - chronicle.forwarders.generate - chronicle.forwarders.get - chronicle.forwarders.list - chronicle.forwarders.update - chronicle.instances.get - chronicle.instances.report - chronicle.legacies.legacyGetCuratedRulesTrends - chronicle.legacies.legacyGetRuleCounts - chronicle.legacies.legacyGetRulesTrends - chronicle.legacies.legacyUpdateFinding - chronicle.logTypeSchemas.list - chronicle.multitenantDirectories.get - chronicle.operations.cancel - chronicle.operations.delete - chronicle.operations.get - chronicle.operations.list - chronicle.operations.wait - chronicle.parserExtensions.activate - chronicle.parserExtensions.create - chronicle.parserExtensions.delete - chronicle.parserExtensions.generateKeyValueMappings - chronicle.parserExtensions.get - chronicle.parserExtensions.legacySubmitParserExtension - chronicle.parserExtensions.list - chronicle.parserExtensions.removeSyslog - chronicle.parsers.activate - chronicle.parsers.activateReleaseCandidate - chronicle.parsers.copyPrebuiltParser - chronicle.parsers.create - chronicle.parsers.deactivate - chronicle.parsers.delete - chronicle.parsers.get - chronicle.parsers.list - chronicle.parsers.runParser - chronicle.parsingErrors.list - chronicle.validationErrors.list - chronicle.validationReports.get - resourcemanager.projects.getIamPolicy
Create the custom role. The following example gcloud CLI command demonstrates how to create this custom role using the YAML file you created in the previous step.
gcloud iam roles create ROLE_NAME \ --project=PROJECT_ID \ --file=YAML_FILE_NAME
Replace the following:
PROJECT_ID
: the project ID of the Google Security Operations-bound project you created in Binding a Google Security Operations instance to Google Cloud project. See Creating and managing projects for a description of fields that identify a project.YAML_FILE_NAME
: the name of the file you created in the previous step.ROLE_NAME
: the name of the custom role as defined in the YAML file.
Assign the custom role using the Google Cloud CLI
The following example command demonstrates how to grant a group of users the custom role,
limitedAdmin
.gcloud projects add-iam-policy-binding PROJECT_ID \ --member=principalSet://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/group/GROUP_ID \ --role=projects/PROJECT_ID/roles/limitedAdmin
Replace the following:
PROJECT_ID
: the project ID of the Google Security Operations-bound project you created in Binding a Google Security Operations instance to Google Cloud project. See Creating and managing projects for a description of fields that identify a project.WORKFORCE_POOL_ID
: the identifier for the Workforce pool created for your identity provider.GROUP_ID
: the group identifier created in workforce identity federation. See Represent workforce pool users in IAM policies for information about the group identifier created in workforce identity federation. See Represent workforce pool users in IAM policies for information about theGROUP_ID
.GROUP_ID
.
Verify audit logging
User actions in Google Security Operations and requests to the Google Security Operations API are recorded as Cloud Audit Logs. To verify that logs are being written, perform the following steps:
- Sign in to Google Security Operations as a user with privileges to access any feature. See Sign in to Google Security Operations for more information.
- Perform an action, such as perform a Search.
- In Google Cloud console, use the Logs Explorer to view the audit logs in the
Google Security Operations-bound Cloud project. Google Security Operations audit logs have the
following service name
chronicle.googleapis.com
.
For more information about how to view Cloud Audit Logs, see Google Security Operations audit logging information.
The following is an example log written when the user alice@example.com
viewed the list of parser extensions in Google Security Operations.
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "alice@example.com"
},
"requestMetadata": {
"callerIp": "private",
"callerSuppliedUserAgent": "abc_client",
"requestAttributes": {
"time": "2023-03-27T21:09:43.897772385Z",
"reason": "8uSywAYeWhxBRiBhdXRoIFVwVGljay0-REFUIGV4Y2abcdef",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "chronicle.googleapis.com",
"methodName": "google.cloud.chronicle.v1main.ParserService.ListParserExtensions",
"authorizationInfo": [
{
"resource": "projects/100000000000/locations/us/instances/aaaa0aa0-000A-00a0-0000-0000a0aa0a1/logTypes/-",
"permission": "chronicle.parserExtensions.list",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "projects/100000000000/locations/us/instances/aaaa0aa0-000A-00a0-0000-0000a0aa0a1/logTypes/-",
"numResponseItems": "12",
"request": {
"@type": "type.googleapis.com/google.cloud.chronicle.v1main.ListParserExtensionsRequest",
"parent": "projects/100000000000/locations/us/instances/aaaa0aa0-000A-00a0-0000-0000a0aa0a1/logTypes/-"
},
"response": {
"@type": "type.googleapis.com/google.cloud.chronicle.v1main.ListParserExtensionsResponse"
}
},
"insertId": "1h0b0e0a0",
"resource": {
"type": "audited_resource",
"labels": {
"project_id": "dev-sys-server001",
"method": "google.cloud.chronicle.v1main.ParserService.ListParserExtensions",
"service": "chronicle.googleapis.com"
}
},
"timestamp": "2023-03-27T21:09:43.744940164Z",
"severity": "INFO",
"logName": "projects/dev-sys-server001/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2023-03-27T21:09:44.863100753Z"
}
Migrate Google Security Operations to IAM for feature access control
Use information in these sections to migrate an existing Google Security Operations SIEM instance from the previous Google Security Operations role-based access control feature (Google Security Operations RBAC) to IAM. After you migrate to IAM, you can also audit activity on the Google Security Operations instance using Cloud Audit Logs.
Differences between Google Security Operations RBAC and IAM
Although IAM predefined role names are similar to the Google Security Operations RBAC groups, the IAM predefined roles don't provide identical feature access as Google Security Operations RBAC groups. The permissions assigned to each predefined IAM role are slightly different. For more information, see How IAM permissions map to each Google Security Operations RBAC role.
You can use Google Security Operations predefined roles as is, change the permissions defined in each predefined role, or create custom roles and assign a different set of permissions.
After you migrate the Google Security Operations instance, you manage roles, permissions, and IAM policies using IAM in Google Cloud console. The following Google Security Operations application pages are modified to direct users to Google Cloud console:
- Users & Groups
- Roles
In Google Security Operations RBAC, each permission is described by the feature name and an action. IAM permissions are described by the resource name and method. The following table illustrates the difference with two examples, one related to Dashboards and the second related to Feeds.
Dashboard example: To control access to Dashboards, Google Security Operations RBAC provides five actions that you can perform on dashboards. IAM provides similar permissions with one additional,
dashboards.list
, that lets a user list available dashboards.Feeds example: To control access to Feeds, Google Security Operations RBAC provides seven actions that you can enable or disable. With IAM there are four:
feeds.delete
,feeds.create
,feeds.update
, andfeeds.view
.
Feature | Permission in Google Security Operations RBAC | IAM permission | Description of user action |
---|---|---|---|
Dashboards | Edit | chronicle.dashboards.edit |
Edit dashboards |
Dashboards | Copy | chronicle.dashboards.copy |
Copy dashboards |
Dashboards | Create | chronicle.dashboards.create |
Create dashboards |
Dashboards | Schedule | chronicle.dashboards.schedule |
Schedule reports |
Dashboards | Delete | chronicle.dashboards.delete |
Delete reports |
Dashboards | None. This is available in IAM only. | chronicle.dashboards.list |
List available dashboards |
Feeds | DeleteFeed | chronicle.feeds.delete |
Delete a feed. |
Feeds | CreateFeed | chronicle.feeds.create |
Create a feed. |
Feeds | UpdateFeed | chronicle.feeds.update |
Update a feed. |
Feeds | EnableFeed | chronicle.feeds.update |
Update a feed. |
Feeds | DisableFeed | chronicle.feeds.update |
Update a feed. |
Feeds | ListFeeds | chronicle.feeds.view |
Return one or more feeds. |
Feeds | GetFeed | chronicle.feeds.view |
Return one or more feeds. |
Steps to migrate an existing Google Security Operations instance
To enable IAM on your existing Google Security Operations instance, perform the following steps:
- Contact your Google Security Operations representative and let them know you'd like to
migrate your existing RBAC configuration to IAM. Provide your
Google Security Operations representative with the following information:
- The Project ID bound to the Google Security Operations instance. You defined this when you created this when you bound Google Security Operations to Google Cloud project.
- Frontend path, which is part of your Google Security Operations URL.
- The Workforce pool ID. You defined this when you configured workforce identity federation.
- Your Google Security Operations representative will send you a file containing gcloud CLI commands. You will run these commands to migrate your existing access control policies to equivalent IAM policies.
- Open the Google Cloud console as a user with the
iam.workforcePoolAdmin
role andProject Editor
permissions and access the Google Security Operations-bound project. You identified or created this user when you Integrated Google Security Operations with a third-party identity provider. - Launch a Cloud Shell session.
- Run the commands provided by the Google Security Operations representative to migrate your existing configuration to IAM. This creates a new IAM policy equivalent to your Google Security Operations RBAC access control configuration.
- After you execute all commands, confirm that the IAM policies were migrated correctly in the IAM > Permissions page.
- When you're comfortable with your IAM policies, contact your Google Security Operations representative and let them know the IAM policies have been migrated.
- Your Google Security Operations representative will perform steps to enable IAM on your Google Security Operations instance and will contact you when this is complete.
- Verify that you can access Google Security Operations as a user with the
Google Security Operations API Admin role.
- Sign in to Google Security Operations as a user with the Google Security Operations API Admin predefined role. See Sign in to Google Security Operations for more information.
- Open the Application menu > Settings > Users & Groups page. You should see the message: *To manage users and groups, go to Identity Access Management (IAM) in the Google Cloud console. Learn more about managing users and groups*.
- Verify the permissions for other user roles.
- Sign in to the Google Security Operations as a user with a different role. See Sign in to Google Security Operations for more information.
- Verify that available features in the application match the permissions defined in IAM.
How IAM permissions map to each Google Security Operations RBAC role
The following section summarizes each Google Security Operations predefined role in IAM and the permissions bound to each role. It also identifies which Google Security Operations RBAC role and action it is similar to.
Chronicle API Limited Viewer
This role grants read-only access to the Google Security Operations application and API resources,
excluding detection engine rules and retrohunts. The role name is chronicle.limitedViewer
.
The following permissions are available in the Google Security Operations API Limited Viewer predefined role in IAM.
IAM Permission | Equivalent permission mapped to to the following Google Security Operations RBAC role |
---|---|
chronicle.instances.get |
This is available in IAM only. |
chronicle.dashboards.get |
This is available in IAM only. |
chronicle.dashboards.list |
This is available in IAM only. |
chronicle.multitenantDirectories.get |
This is available in IAM only. |
chronicle.logs.list |
This is available in IAM only. |
Chronicle API Viewer
This role provides read-only access to the Google Security Operations application and API
resources. The role name is chronicle.viewer
.
The following permissions are available in the Google Security Operations API Viewer predefined role in IAM.
Google Security Operations permission | Equivalent permission is mapped to this Google Security Operations RBAC role |
---|---|
chronicle.ruleDeployments.get |
Viewer |
chronicle.ruleDeployments.list |
Viewer |
chronicle.rules.verifyRuleText |
Viewer |
chronicle.rules.get |
Viewer |
chronicle.rules.list |
Viewer |
chronicle.legacies.legacyGetRuleCounts |
Viewer |
chronicle.legacies.legacyGetRulesTrends |
Viewer |
chronicle.rules.listRevisions |
Viewer |
chronicle.legacies.legacyGetCuratedRulesTrends |
Viewer |
chronicle.ruleExecutionErrors.list |
Viewer |
chronicle.curatedRuleSets.get |
Viewer |
chronicle.curatedRuleSetDeployments.get |
Viewer |
chronicle.curatedRuleSets.list |
Viewer |
chronicle.curatedRuleSetDeployments.list |
Viewer |
chronicle.curatedRuleSetCategories.get |
Viewer |
chronicle.curatedRuleSetCategories.list |
Viewer |
chronicle.curatedRuleSetCategories.countAllCuratedRuleSetDetections |
Viewer |
chronicle.curatedRuleSets.countCuratedRuleSetDetections |
Viewer |
chronicle.curatedRules.get |
Viewer |
chronicle.curatedRules.list |
Viewer |
chronicle.referenceLists.list |
Viewer |
chronicle.referenceLists.get |
Viewer |
chronicle.referenceLists.verifyReferenceList |
Viewer |
chronicle.retrohunts.get |
Viewer |
chronicle.retrohunts.list |
Viewer |
chronicle.dashboards.schedule |
Editor |
chronicle.operations.get |
None. This is available in IAM only. |
chronicle.operations.list |
None. This is available in IAM only. |
chronicle.operations.wait |
None. This is available in IAM only. |
chronicle.instances.report |
None. This is available in IAM only. |
chronicle.collectors.get |
None. This is available in IAM only. |
chronicle.collectors.list |
None. This is available in IAM only. |
chronicle.forwarders.generate |
None. This is available in IAM only. |
chronicle.forwarders.get |
None. This is available in IAM only. |
chronicle.forwarders.list |
None. This is available in IAM only. |
Chronicle API Editor
This role enables users to modify access to Google Security Operations application and API
resources. The role name is chronicle.editor
.
The following permissions are available in the Google Security Operations API Editor predefined role in IAM.
Google Security Operations permission | Equivalent permission is mapped to this Google Security Operations RBAC role |
---|---|
chronicle.ruleDeployments.update |
Editor |
chronicle.rules.update |
Editor |
chronicle.rules.create |
Editor |
chronicle.referenceLists.create |
Editor |
chronicle.referenceLists.update |
Editor |
chronicle.rules.runRetrohunt |
Editor |
chronicle.retrohunts.create |
Editor |
chronicle.curatedRuleSetDeployments.batchUpdate |
Editor |
chronicle.curatedRuleSetDeployments.update |
Editor |
chronicle.dashboards.copy |
Editor |
chronicle.dashboards.edit |
Editor |
chronicle.dashboards.create |
Editor |
chronicle.legacies.legacyUpdateFinding |
Editor |
chronicle.dashboards.delete |
Editor |
chronicle.operations.delete |
None. This is available in IAM only. |
Chronicle API Admin
This role provides full access to the Google Security Operations application and API services,
including global settings. The role name is chronicle.admin
.
The following permissions are available in the Google Security Operations API Admin predefined role in IAM.
Google Security Operations permission | Equivalent permission is mapped to this Google Security Operations RBAC role |
---|---|
chronicle.parserExtensions.delete |
Admin |
chronicle.parsers.copyPrebuiltParser |
Admin |
chronicle.extensionValidationReports.get |
Admin |
chronicle.extensionValidationReports.list |
Admin |
chronicle.validationErrors.list |
Admin |
chronicle.parsers.runParser |
Admin |
chronicle.parserExtensions.get |
Admin |
chronicle.parserExtensions.list |
Admin |
chronicle.validationReports.get |
Admin |
chronicle.parserExtensions.create |
Admin |
chronicle.parserExtensions.removeSyslog |
Admin |
chronicle.parsers.activate |
Admin |
chronicle.parserExtensions.activate |
Admin |
chronicle.parsers.activateReleaseCandidate |
Admin |
chronicle.parsers.deactivate |
Admin |
chronicle.parsers.deactivate |
Admin |
chronicle.parserExtensions.generateKeyValuechronicle.Mappings |
Admin |
chronicle.parserExtensions.legacySubmitParserExtension |
Admin |
chronicle.parsers.activate |
Admin |
chronicle.parsers.activate |
Admin |
chronicle.parsers.activate |
Admin |
chronicle.parsers.list |
Admin |
chronicle.parsers.create |
Admin |
chronicle.parsers.delete |
Admin |
chronicle.feeds.delete |
Admin |
chronicle.feeds.create |
Admin |
chronicle.feeds.update |
Admin |
chronicle.feeds.enable |
Admin |
chronicle.feeds.disable |
Admin |
chronicle.feeds.list |
Admin |
chronicle.feeds.get |
Admin |
chronicle.feedSourceTypeSchemas.list |
Admin |
chronicle.logTypeSchemas.list |
Admin |
chronicle.operations.cancel |
Editor |
chronicle.collectors.create |
None. This is available in IAM only. |
chronicle.collectors.delete |
None. This is available in IAM only. |
chronicle.collectors.update |
None. This is available in IAM only. |
chronicle.forwarders.create |
None. This is available in IAM only. |
chronicle.forwarders.delete |
None. This is available in IAM only. |
chronicle.forwarders.update |
None. This is available in IAM only. |
chronicle.parsingErrors.list |
None. This is available in IAM only. |