Configure feature access control using IAM

Supported in:

Feature RBAC controls user access to specific features or functionalities within a system and determines which features are accessible to users based on their roles. This page describes how you can configure feature access control within Google Security Operations.

In this document, the term legacy RBAC is used when referring to the previously available access control system that is configured using Google SecOps, and not Identity and Access Management (IAM). Feature RBAC is used to describe feature-based access control that you configure using IAM.

Google SecOps integrates with Google Cloud IAM to provide Google SecOps-specific permissions and predefined roles. Google SecOps administrators can control access to features by creating IAM policies that bind users or groups to predefined roles or can create custom IAM roles. This feature does not control access to specific UDM records or fields in a UDM record.

This document does the following:

  • Describes how Google SecOps integrates with IAM.
  • Explains how feature RBAC roles are different from the legacy RBAC roles.
  • Provides steps to migrate a Google SecOps instance to feature RBAC.
  • Provides examples of how to assign permissions using IAM.
  • Summarizes the permissions and predefined roles available in IAM.

For a list of commonly used Google SecOps permissions and the audit logs they produce, see Permissions and API methods by resource group. For a list of all Google SecOps permissions, see Identity and Access Management permissions reference.

Each Google SecOps permission is associated with a Google SecOps API resource and method. When a user or group is granted a permission, the user can access the feature in Google SecOps and send a request using the related API method.

How Google SecOps integrates with IAM

To use IAM, Google SecOps must be bound to a Google Cloud project and must be configured with either Cloud Identity, Google Workspace, or Google Cloud workforce identity federation as an intermediary in the authentication flow to a third-party identity provider. For information about the third-party authentication flow, see Integrate Google SecOps with a third-party identity provider.

Google SecOps performs the following steps to verify and control access to features:

  1. After logging on to Google SecOps, a user accesses a Google SecOps application page. Alternatively, the user may send an API request to Google SecOps.
  2. Google SecOps verifies the permissions granted in the IAM policies defined for that user.
  3. IAM returns the authorization information. If the user accessed an application page, Google SecOps enables access to only those features that the user has been granted access to.
  4. If the user sent an API request, and does not have permission to perform the requested action, the API response includes an error. Otherwise, a standard response is returned.

Google SecOps provides a set of predefined roles with a defined set of permissions that control whether a user can access the feature. The single IAM policy controls access to the feature using the web interface and the API.

If there are other Google Cloud services in the Google Cloud project bound to Google SecOps, and you want to limit a user with the Project IAM Admin role to modify only the Google SecOps resources, make sure to add IAM conditions to the allow policy. See Assign roles to users and groups for an example of how to do this.

Administrators tailor access to Google SecOps features based on an employee's role in your organization.

Before you begin

Plan your implementation

Create IAM policies that support your organization's deployment requirements. You can use either Google SecOps predefined roles or custom roles that you create.

Review the list of Google SecOps predefined roles and permissions against your organization requirements. Identify which members of your organization should have access to each Google SecOps feature. If your organization requires IAM policies that differ from the predefined Google SecOps roles, create custom roles to support these requirements. For information about IAM custom roles, see Create and manage custom roles.

Summary of Google SecOps roles and permissions

The following sections provides a high level summary of predefined roles.

The most current list of Google SecOps permissions is in IAM permissions reference. Under the Search for a permission section, search for the term chronicle.

The most current list of predefined Google SecOps roles is in IAM basic and predefined roles reference. Under the Predefined roles section, either select the Chronicle API roles service or search for the term chronicle.

For information about API methods and permissions, the pages where permissions are used, and information recorded in Cloud Audit Logs when the API is called, see Chronicle permissions in IAM.

Google SecOps predefined roles in IAM

Google Security Operations provides the following predefined roles as they appear in IAM.

Predefined role in IAM Title Description
roles/chronicle.admin Chronicle API Admin Full access to Google Security Operations application and API services, including global settings.
roles/chronicle.editor Chronicle API Editor Modify access to Google Security Operations application and API resources.
roles/chronicle.viewer Chronicle API Viewer Read-only access to Google Security Operations application and API resources
roles/chronicle.limitedViewer Chronicle API Limited Viewer Grants read-only access to Google Security Operations application and API resources, excluding detection engine rules and retrohunts.

Google SecOps permissions in IAM

Google SecOps permissions correspond one-to-one with Google SecOps API methods. Each Google SecOps permission enables a specific action on a specific Google SecOps feature when using the web application or the API. Google SecOps APIs used with IAM are in the Alpha launch stage.

Google SecOps permission names follow the format SERVICE.FEATURE.ACTION. For example, the permission name chronicle.dashboards.edit consists of the following:

  • chronicle: the Google SecOps API service name.
  • dashboards: the feature name.
  • edit: the action that can be performed on the feature.

The permission name describes the action you can perform on the feature in Google SecOps. All Google SecOps permissions have the chronicle service name.

Assign roles to users and groups

The following sections provide example use cases for creating IAM policies. The term <project> is used to represent the project ID of the project that you bound to Google SecOps.

After you enable the Chronicle API, the Google SecOps predefined roles and permissions are available in IAM and you can create policies to support organization requirements.

If you have a newly created Google SecOps instance, begin creating IAM policies to meet organization requirements.

If this is an existing Google SecOps instance, see Migrate Google SecOps to IAM for feature access control for information about migrating the instance to IAM.

Example: Assign the Project IAM Admin role in a dedicated project

In this example, the project is dedicated to your Google SecOps instance. You grant the Project IAM Admin role to a user so they can grant and modify the project's IAM role bindings. The user can administer all Google SecOps roles and permissions in the project and perform tasks granted by the Project IAM Admin role.

Assign the role using Google Cloud console

The following steps describe how to grant a role to a user using Google Cloud console.

  1. Open Google Cloud console.
  2. Select the project that is bound to Google SecOps.
  3. Select IAM & Admin.
  4. Select Grant Access. The Grant Access to <project> appears.
  5. Under the Add Principals section, enter the managed account email address in the New principals field.
  6. Under the Assign Roles section, in the Select a role menu, select the Project IAM Admin role.
  7. Click Save.
  8. Open the IAM > Permissions page to verify the user was granted the correct role.

Assign the role using the Google Cloud CLI

The following example command demonstrates how to grant a user the chronicle.admin role when using workforce identity federation.

gcloud projects add-iam-policy-binding PROJECT_ID  \
--member=principal://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/subject/USER_EMAIL \
--role=roles/chronicle.admin

Replace the following:

The following example command demonstrates how to grant a group the chronicle.admin role when using Cloud Identity or Google Workspace.

gcloud projects add-iam-policy-binding PROJECT_ID  \
  --member "user:USER_EMAIL" \
  --role=roles/chronicle.admin

Replace the following:

Example: Assign the Project IAM Admin role in a shared project

In this example, the project is used for multiple applications. It is bound to a Google SecOps instance and runs services that are not related to Google SecOps. For example, a Compute Engine resource used for another purpose.

In this case, you can grant the Project IAM Admin role to a user so they can grant and modify the project's IAM role bindings and configure Google SecOps. You will also add IAM s to the role binding to limit their access to only Google SecOps-related roles in the project. This user can only grant roles specified in the IAM condition.

For more information about IAM conditions, see Overview of IAM Conditions and Manage conditional role bindings.

Assign the role using Google Cloud console

The following steps describe how to grant a role to a user using Google Cloud console.

  1. Open Google Cloud console.
  2. Select the project that is bound to Google SecOps.
  3. Select IAM & Admin.
  4. Select Grant Access. The Grant Access to <project> appears.
  5. In the Grant Access to <project> dialog, under the Add Principals section, enter the user email address in the New Principals field.
  6. Under the Assign Roles section, in the Select a role menu, select the Project IAM Admin role.
  7. Click + Add IAM Condition.
  8. In the Add condition dialog, enter the following information:
    1. Enter a Title for the condition.
    2. Select the Condition editor.
    3. Enter the following condition:
  api.getAttribute(iam.googleapis.com/modifiedGrantsByRole,[]).hasOnly([roles/chronicle.googleapis.com/limitedViewer, roles/chronicle.googleapis.com/viewer, roles/chronicle.googleapis.com/editor, roles/chronicle.googleapis.com/admin])
  1. Click Save in the Add condition dialog.
  2. Click Save in the Grant Access to <project> dialog.
  3. Open the IAM > Permissions page to verify the user was granted the correct role.

Assign the role using the Google Cloud CLI

The following example command demonstrates how to grant a user the chronicle.admin role and apply IAM conditions when using workforce identity federation.

gcloud projects add-iam-policy-binding PROJECT_ID  \
--member=principal://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/subject/USER_EMAIL \
--role=roles/chronicle.admin\
--condition=^:^'expression=api.getAttribute(iam.googleapis.com/modifiedGrantsByRole,[]).hasOnly([roles/chronicle.googleapis.com/limitedViewer, roles/chronicle.googleapis.com/viewer, roles/chronicle.googleapis.com/editor, roles/chronicle.googleapis.com/admin])':'title=Chronicle Role Admin'

Replace the following:

The following example command demonstrates how to grant a group the chronicle.admin role and apply IAM conditions when using Cloud Identity or Google Workspace.

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=user:USER_EMAIL \
  --role=roles/chronicle.admin\
  --condition=^:^'expression=api.getAttribute(iam.googleapis.com/modifiedGrantsByRole,[]).hasOnly([roles/chronicle.googleapis.com/limitedViewer, roles/chronicle.googleapis.com/viewer, roles/chronicle.googleapis.com/editor, roles/chronicle.googleapis.com/admin])':'title=Chronicle Role Admin'

Replace the following:

Example: Assign the Chronicle API Editor role to a user

In this situation, you want to give a user the ability to modify access to Google SecOps API resources.

Assign the role using Google Cloud console

  1. Open Google Cloud console.
  2. Select the project that is bound to Google SecOps.
  3. Select IAM & Admin.
  4. Select Grant Access. The Grant Access to <project> dialog opens.
  5. Under the Add Principals section, in the New principals field, enter the user email address.
  6. Under the Assign Roles section, in the Select a role menu, select the Google SecOps API Editor role.
  7. Click Save in the Grant Access to <project> dialog.
  8. Open the IAM > Permissions page to verify the user was granted the correct role.

Assign the role using the Google Cloud CLI

The following example command demonstrates how to grant a user the chronicle.editor role when using workforce identity federation.

gcloud projects add-iam-policy-binding PROJECT_ID  \
  --member=principal://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/subject/USER_EMAIL \
  --role=roles/chronicle.editor

Replace the following:

  • PROJECT_ID: the project ID of the Google SecOps-bound project you created in Binding a Google SecOps instance to Google Cloud project. See Creating and managing projects for a description of fields that identify a project.
  • WORKFORCE_POOL_ID: the identifier for the Workforce pool created for your Identity Provider.
  • USER_EMAIL: the user's email address.

    The following example command demonstrates how to grant a user the chronicle.editor role when using Cloud Identity or Google Workspace.

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=user:USER_EMAIL \
  --role=roles/chronicle.editor

Replace the following:

Example: Create and assign a custom role to a group

If Google SecOps predefined roles don't provide the group of permissions that meet your organization's use case, you can create a custom role and assign Google SecOps permissions to that custom role. You assign the custom role to a user or group. For more information about IAM custom roles, see Create and manage custom roles.

The following steps let you create a custom role called LimitedAdmin.

  1. Create a YAML or JSON file that defines the custom role, called LimitedAdmin, and the permissions granted to this role. The following is an example YAML file.

    title: "LimitedAdmin"
    description: "Admin role with some permissions removed"
    stage: "ALPHA"
    includedPermissions:
    - chronicle.collectors.create
    - chronicle.collectors.delete
    - chronicle.collectors.get
    - chronicle.collectors.list
    - chronicle.collectors.update
    - chronicle.dashboards.copy
    - chronicle.dashboards.create
    - chronicle.dashboards.delete
    - chronicle.dashboards.get
    - chronicle.dashboards.list
    - chronicle.extensionValidationReports.get
    - chronicle.extensionValidationReports.list
    - chronicle.forwarders.create
    - chronicle.forwarders.delete
    - chronicle.forwarders.generate
    - chronicle.forwarders.get
    - chronicle.forwarders.list
    - chronicle.forwarders.update
    - chronicle.instances.get
    - chronicle.instances.report
    - chronicle.legacies.legacyGetCuratedRulesTrends
    - chronicle.legacies.legacyGetRuleCounts
    - chronicle.legacies.legacyGetRulesTrends
    - chronicle.legacies.legacyUpdateFinding
    - chronicle.logTypeSchemas.list
    - chronicle.multitenantDirectories.get
    - chronicle.operations.cancel
    - chronicle.operations.delete
    - chronicle.operations.get
    - chronicle.operations.list
    - chronicle.operations.wait
    - chronicle.parserExtensions.activate
    - chronicle.parserExtensions.create
    - chronicle.parserExtensions.delete
    - chronicle.parserExtensions.generateKeyValueMappings
    - chronicle.parserExtensions.get
    - chronicle.parserExtensions.legacySubmitParserExtension
    - chronicle.parserExtensions.list
    - chronicle.parserExtensions.removeSyslog
    - chronicle.parsers.activate
    - chronicle.parsers.activateReleaseCandidate
    - chronicle.parsers.copyPrebuiltParser
    - chronicle.parsers.create
    - chronicle.parsers.deactivate
    - chronicle.parsers.delete
    - chronicle.parsers.get
    - chronicle.parsers.list
    - chronicle.parsers.runParser
    - chronicle.parsingErrors.list
    - chronicle.validationErrors.list
    - chronicle.validationReports.get
    - resourcemanager.projects.get
    
  2. Create the custom role. The following example gcloud CLI command demonstrates how to create this custom role using the YAML file you created in the previous step.

    gcloud iam roles create ROLE_NAME \
    --project=PROJECT_ID \
    --file=YAML_FILE_NAME
    

    Replace the following:

  3. Assign the custom role using the Google Cloud CLI.

    The following example command demonstrates how to grant a group of users the custom role, limitedAdmin when using workforce identity federation.

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member=principalSet://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/group/GROUP_ID \
      --role=projects/PROJECT_ID/roles/limitedAdmin
    

    Replace the following:

    The following example command demonstrates how to grant a group of users the custom role, limitedAdmin when using Cloud Identity or .

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member=groupid:GROUP_ID \
      --role=projects/PROJECT_ID/roles/limitedAdmin
    

    Replace the following:

Verify audit logging

User actions in Google SecOps and requests to the Google SecOps API are recorded as Cloud Audit Logs. To verify that logs are being written, perform the following steps:

  1. Sign in to Google SecOps as a user with privileges to access any feature. See Sign in to Google SecOps for more information.
  2. Perform an action, such as perform a Search.
  3. In Google Cloud console, use the Logs Explorer to view the audit logs in the Google SecOps-bound Cloud project. Google SecOps audit logs have the following service name chronicle.googleapis.com.

For more information about how to view Cloud Audit Logs, see Google SecOps audit logging information.

The following is an example log written when the user alice@example.com viewed the list of parser extensions in Google SecOps.

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "alice@example.com"
    },
    "requestMetadata": {
      "callerIp": "private",
      "callerSuppliedUserAgent": "abc_client",
      "requestAttributes": {
        "time": "2023-03-27T21:09:43.897772385Z",
        "reason": "8uSywAYeWhxBRiBhdXRoIFVwVGljay0-REFUIGV4Y2abcdef",
        "auth": {}
      },
      "destinationAttributes": {}
    },
    "serviceName": "chronicle.googleapis.com",
    "methodName": "google.cloud.chronicle.v1main.ParserService.ListParserExtensions",
    "authorizationInfo": [
      {
        "resource": "projects/100000000000/locations/us/instances/aaaa0aa0-000A-00a0-0000-0000a0aa0a1/logTypes/-",
        "permission": "chronicle.parserExtensions.list",
        "granted": true,
        "resourceAttributes": {}
      }
    ],
    "resourceName": "projects/100000000000/locations/us/instances/aaaa0aa0-000A-00a0-0000-0000a0aa0a1/logTypes/-",
    "numResponseItems": "12",
    "request": {
      "@type": "type.googleapis.com/google.cloud.chronicle.v1main.ListParserExtensionsRequest",
      "parent": "projects/100000000000/locations/us/instances/aaaa0aa0-000A-00a0-0000-0000a0aa0a1/logTypes/-"
    },
    "response": {
      "@type": "type.googleapis.com/google.cloud.chronicle.v1main.ListParserExtensionsResponse"
    }
  },
  "insertId": "1h0b0e0a0",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "project_id": "dev-sys-server001",
      "method": "google.cloud.chronicle.v1main.ParserService.ListParserExtensions",
      "service": "chronicle.googleapis.com"
    }
  },
  "timestamp": "2023-03-27T21:09:43.744940164Z",
  "severity": "INFO",
  "logName": "projects/dev-sys-server001/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2023-03-27T21:09:44.863100753Z"
}

Migrate Google SecOps to feature RBAC for feature access control

Use information in these sections to migrate an existing Google Security Operations SIEM instance from the legacy RBAC system to feature RBAC.

After you migrate to feature RBAC, you can also audit activity on the Google SecOps instance using Cloud Audit Logs.

Differences between legacy RBAC and feature RBAC

Although feature RBAC predefined role names are similar to the legacy RBAC roles, the feature RBAC predefined roles don't provide identical feature access as the legacy RBAC roles. The permissions assigned to each predefined feature RBAC role are slightly different. For more information, see How feature RBAC IAM roles map to legacy RBAC roles.

You can use Google SecOps predefined roles as is, change the permissions defined in each predefined role, or create custom roles and assign a different set of permissions.

After you migrate the Google SecOps instance, you manage roles, permissions, and feature RBAC policies using IAM in Google Cloud console. The following Google SecOps application pages are modified to direct users to Google Cloud console:

  • Users & Groups
  • Roles

In legacy RBAC, each permission is described by the feature name and an action. IAM permissions in feature RBAC are described by the resource name and method. The following table illustrates the difference with two examples, one related to Dashboards and the second related to Feeds.

  • Dashboard example: To control access to Dashboards, the legacy RBAC provides five actions that you can perform on dashboards. Feature RBAC provides similar IAM permissions with one additional, dashboards.list, that lets a user list available dashboards.

  • Feeds example: To control access to Feeds, legacy RBAC provides seven actions that you can enable or disable. With feature RBAC there are four: feeds.delete, feeds.create, feeds.update, and feeds.view.

Feature Permission in legacy RBAC IAM permission in feature RBAC Description of user action
Dashboards Edit chronicle.dashboards.edit Edit dashboards
Dashboards Copy chronicle.dashboards.copy Copy dashboards
Dashboards Create chronicle.dashboards.create Create dashboards
Dashboards Schedule chronicle.dashboards.schedule Schedule reports
Dashboards Delete chronicle.dashboards.delete Delete reports
Dashboards None. This is available in feature RBAC only. chronicle.dashboards.list List available dashboards
Feeds DeleteFeed chronicle.feeds.delete Delete a feed.
Feeds CreateFeed chronicle.feeds.create Create a feed.
Feeds UpdateFeed chronicle.feeds.update Update a feed.
Feeds EnableFeed chronicle.feeds.update Update a feed.
Feeds DisableFeed chronicle.feeds.update Update a feed.
Feeds ListFeeds chronicle.feeds.view Return one or more feeds.
Feeds GetFeed chronicle.feeds.view Return one or more feeds.

Steps to migrate existing access control permissions

After you complete steps to migrate an existing Google SecOps instance, you can also migrate your feature access control configuration.

Google SecOps provides auto-generated commands that create new feature RBAC IAM policies equivalent to your legacy RBAC, which is configured in Google SecOps, under the SIEM Settings > Users and Groups page.

Make sure you have the required permissions described in Configure a Google Cloud project for Google SecOps, and then follow the steps in Migrate existing permissions and roles to IAM.

How feature RBAC IAM roles map to legacy RBAC roles

The mapping information in this section illustrates some of the differences in access for predefined roles before and after migration. Although legacy RBAC role names are similar to feature RBAC IAM predefined roles, the actions that each provide access to are different. This section provides an introduction to some of these differences.

Chronicle API Limited Viewer

This role grants read-only access to the Google SecOps application and API resources, excluding detection engine rules and retrohunts. The role name is chronicle.limitedViewer.

For a detailed list of the permissions, see Chronicle API Viewer.

Chronicle API Viewer

This role provides read-only access to the Google SecOps application and API resources. The role name is chronicle.viewer.

The following permissions illustrate some of the differences between similar legacy RBAC and feature RBAC roles. For a detailed list of the permissions, see Chronicle API Viewer.

Feature RBAC IAM permission Equivalent permission is mapped to this legacy RBAC role
chronicle.ruleDeployments.get Viewer
chronicle.ruleDeployments.list Viewer
chronicle.rules.verifyRuleText Viewer
chronicle.rules.get Viewer
chronicle.rules.list Viewer
chronicle.legacies.legacyGetRuleCounts Viewer
chronicle.legacies.legacyGetRulesTrends Viewer
chronicle.rules.listRevisions Viewer
chronicle.legacies.legacyGetCuratedRulesTrends Viewer
chronicle.ruleExecutionErrors.list Viewer
chronicle.curatedRuleSets.get Viewer
chronicle.curatedRuleSetDeployments.get Viewer
chronicle.curatedRuleSets.list Viewer
chronicle.curatedRuleSetDeployments.list Viewer
chronicle.curatedRuleSetCategories.get Viewer
chronicle.curatedRuleSetCategories.list Viewer
chronicle.curatedRuleSetCategories.countAllCuratedRuleSetDetections Viewer
chronicle.curatedRuleSets.countCuratedRuleSetDetections Viewer
chronicle.curatedRules.get Viewer
chronicle.curatedRules.list Viewer
chronicle.referenceLists.list Viewer
chronicle.referenceLists.get Viewer
chronicle.referenceLists.verifyReferenceList Viewer
chronicle.retrohunts.get Viewer
chronicle.retrohunts.list Viewer
chronicle.dashboards.schedule Editor
chronicle.operations.get None. This is available in feature RBAC only.
chronicle.operations.list None. This is available in feature RBAC only.
chronicle.operations.wait None. This is available in feature RBAC only.
chronicle.instances.report None. This is available in feature RBAC only.
chronicle.collectors.get None. This is available in feature RBAC only.
chronicle.collectors.list None. This is available in feature RBAC only.
chronicle.forwarders.generate None. This is available in feature RBAC only.
chronicle.forwarders.get None. This is available in feature RBAC only.
chronicle.forwarders.list None. This is available in feature RBAC only.

Chronicle API Editor

This role enables users to modify access to Google SecOps application and API resources. The role name is chronicle.editor.

The following permissions illustrate some of the differences between the similar legacy RBAC and feature RBAC roles. For a detailed list of the permissions, see Chronicle API Editor.

Feature RBAC IAM permission Equivalent permission is mapped to this legacy RBAC role
chronicle.ruleDeployments.update Editor
chronicle.rules.update Editor
chronicle.rules.create Editor
chronicle.referenceLists.create Editor
chronicle.referenceLists.update Editor
chronicle.rules.runRetrohunt Editor
chronicle.retrohunts.create Editor
chronicle.curatedRuleSetDeployments.batchUpdate Editor
chronicle.curatedRuleSetDeployments.update Editor
chronicle.dashboards.copy Editor
chronicle.dashboards.edit Editor
chronicle.dashboards.create Editor
chronicle.legacies.legacyUpdateFinding Editor
chronicle.dashboards.delete Editor
chronicle.operations.delete None. This is available in feature RBAC only.

Chronicle API Admin

This role provides full access to the Google SecOps application and API services, including global settings. The role name is chronicle.admin.

The following permissions illustrate some of the differences between the similar legacy RBAC and feature RBAC roles. For a detailed list of the permissions, see Chronicle API Admin.

Feature RBAC IAM permission Equivalent permission is mapped to this legacy RBAC role
chronicle.parserExtensions.delete Admin
chronicle.parsers.copyPrebuiltParser Admin
chronicle.extensionValidationReports.get Admin
chronicle.extensionValidationReports.list Admin
chronicle.validationErrors.list Admin
chronicle.parsers.runParser Admin
chronicle.parserExtensions.get Admin
chronicle.parserExtensions.list Admin
chronicle.validationReports.get Admin
chronicle.parserExtensions.create Admin
chronicle.parserExtensions.removeSyslog Admin
chronicle.parsers.activate Admin
chronicle.parserExtensions.activate Admin
chronicle.parsers.activateReleaseCandidate Admin
chronicle.parsers.deactivate Admin
chronicle.parsers.deactivate Admin
chronicle.parserExtensions.generateKeyValuechronicle.Mappings Admin
chronicle.parserExtensions.legacySubmitParserExtension Admin
chronicle.parsers.activate Admin
chronicle.parsers.activate Admin
chronicle.parsers.activate Admin
chronicle.parsers.list Admin
chronicle.parsers.create Admin
chronicle.parsers.delete Admin
chronicle.feeds.delete Admin
chronicle.feeds.create Admin
chronicle.feeds.update Admin
chronicle.feeds.enable Admin
chronicle.feeds.disable Admin
chronicle.feeds.list Admin
chronicle.feeds.get Admin
chronicle.feedSourceTypeSchemas.list Admin
chronicle.logTypeSchemas.list Admin
chronicle.operations.cancel Editor
chronicle.collectors.create None. This is available in feature RBAC only.
chronicle.collectors.delete None. This is available in feature RBAC only.
chronicle.collectors.update None. This is available in feature RBAC only.
chronicle.forwarders.create None. This is available in feature RBAC only.
chronicle.forwarders.delete None. This is available in feature RBAC only.
chronicle.forwarders.update None. This is available in feature RBAC only.
chronicle.parsingErrors.list None. This is available in feature RBAC only.