Access control with IAM

Overview

Risk Manager uses Identity and Access Management (IAM) to manage access to model resources. To grant access to a model resource, assign one or more IAM roles to a user, group, or service account. Risk Manager permissions are incorporated into the IAM roles.

Risk Manager Roles

Risk Manager provides predefined roles that grant multiple permissions to specific Risk Manager resources.

The following table lists the predefined roles for Risk Manager, their description, and which permissions they include. Grant these roles at the organization level.

Role Title Description Permissions
riskmanager.admin Risk Manager Admin All Risk Manager permissions riskmanager.serviceaccount.create
riskmanager.reports.get
riskmanager.reports.list
riskmanager.reports.create
riskmanager.reports.delete
riskmanager.reports.review
riskmanager.reports.share
riskmanager.operations.get
riskmanager.operations.list
riskmanager.operations.delete
riskmanager.policies.get
riskmanager.policies.list
riskmanager.settings.get
riskmanager.settings.update
riskmanager.editor Risk Manager Editor Access to edit Risk Manager resources (includes all permissions except for the ability to share or review a report) riskmanager.serviceaccount.create
riskmanager.reports.get
riskmanager.reports.list
riskmanager.reports.create
riskmanager.reports.delete
riskmanager.operations.get
riskmanager.operations.list
riskmanager.operations.delete
riskmanager.policies.get
riskmanager.policies.list
riskmanager.settings.get
riskmanager.settings.update
riskmanager.viewer Risk Manager Viewer Access to view Risk Manager resources riskmanager.reports.get
riskmanager.reports.list
riskmanager.operations.get
riskmanager.operations.list
riskmanager.policies.get
riskmanager.policies.list
riskmanager.settings.get
riskmanager.reviewer Risk Manager Report Reviewer Access to review/approve Risk Manager reports riskmanager.reports.get
riskmanager.reports.list
riskmanager.reports.review
riskmanager.operations.get
riskmanager.operations.list

Risk Manager Service Agent role

When you enroll in Risk Manager, a service account is created for you in the format of organizations-ORGANIZATION_ID@gcp-sa-riskmanager.iam.gserviceaccount.com. This service account is automatically granted the riskmanager.serviceAgent role at the organization level. This role lets the Risk Manager service account retrieve the data needed from other Google Cloud services to generate Risk Manager reports.

This riskmanager.serviceAgent role is a role that includes the following permissions:

Role Title Description Permissions
roles/riskmanager.serviceAgent Risk Manager Service Agent Access to retrieve data from other Google Cloud services needed to generate Risk Manager reports.
  • resourcemanager.organizations.get

Also, all permissions of the following roles are included:

  • cloudasset.viewer
  • securitycenter.assetsViewer
  • securitycenter.findingsViewer
  • securitycenter.settingsViewer

To add the roles/riskmanager.serviceAgent role, you must have the roles/resourcemanager.organizationAdmin role. You can add the roles/riskmanager.serviceAgent role to a service account by running the following command:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="serviceAccount:organizations-ORGANIZATION_ID@gcp-sa-riskmanager.iam.gserviceaccount.com" \
  --role="roles/riskmanager.serviceAgent"

Replace ORGANIZATION_ID with the numeric ID of your organization.

For more information about IAM roles, see Understanding roles.

Risk Manager custom roles

In addition to predefined roles, Risk Manager supports the ability to create customized IAM roles. You can create a custom IAM role and assign that role one or more permissions. Then, you can grant the new role to your collaborators. Use custom roles to create an access control model that maps directly to your needs, alongside the available predefined roles offered by Google.

This document does not describe how to create a custom role. For in-depth information about custom roles and step-by-step instructions for creating a custom role, see Creating and managing custom roles in the IAM documentation.