This topic describes how to configure your Google Cloud organization to use Risk Manager for the first time. These steps are prerequisites for most tasks in Risk Manager.
Beginning Risk Manager setup
To generate reports, Risk Manager requires a one-time setup to be completed. This process requires Identity and Access Management (IAM) permissions beyond the scope of Risk Manager, which may only be held by an administrator in your organization.
To begin setup, follow these steps:
Console
Go to the Risk Manager setup page.
If no organization is selected, follow these steps:
- Click Select an organization.
- Select your organization in the drop-down menu.
Click Begin Setup. If this button is inactive, obtain the required setup permissions, and then try again.
Required setup permissions
If the Begin Setup button is inactive for you, you are missing the required permissions to begin setup. To proceed, you must either request these permissions from your Google Cloud administrator, or have your Google Cloud administrator perform these steps for you.
The following roles contain the permissions you need to complete the rest of the steps in this guide:
Risk Manager Admin
Organization Administrator
You can see the required permissions by hovering over the inactive Begin Setup button, but they are also listed here:
Required permission | Reference |
---|---|
riskmanager.serviceAccount.create |
See Risk Manager access control for IAM roles that include this permission. See Assign IAM roles for how to assign Risk Manager roles. |
resourcemanager.organizations.getIamPolicy |
See Access control for organizations for IAM roles that include this permission. |
resourcemanager.organizations.setIamPolicy |
See Access control for organizations for IAM roles that include this permission. |
Grant the Risk Manager service account access to your organization
When you begin to set up Risk Manager in the Google Cloud console, a service account is created. Upon creation, this service account has no permissions and cannot perform any actions.
The Risk Manager service account must be granted the
Risk Manager service agent role
(roles/riskmanager.serviceAgent
) in order to read security findings and
build reports. This role grant is often referred to as "provisioning" by
Risk Manager in the Google Cloud Google Cloud console. For more information
about the service agent role, see
Risk Manager access control.
To provision the Risk Manager service account, follow these steps:
Console
Go to Risk Manager setup page.
If no organization is selected, follow these steps:
- Click Select an organization.
- Select your organization in the drop-down menu.
Go to the Provision Service Account step. If this step has already been completed, it's automatically skipped. You can still view it by clicking Provision Service Account.
Click Grant Roles.
Verify that the Grant Roles button is updated to show Roles Granted.
Enroll in Risk Manager
Enrolling in Risk Manager enables any backend services needed for Risk Manager to work.
For enrollment to succeed, the organization must have Security Command Center enabled, with the Security Health Analytics service enabled within Security Command Center. The Security Command Center and Security Health Analytics enablement process is detailed in the Risk Manager onboarding page.
To enroll in Risk Manager, follow these steps:
Console
Go to Risk Manager setup page:
If no organization is selected:
- Click Select an organization.
- Select your organization in the drop-down menu.
Go to the Enroll in Risk Manager step. If you are unable to go to this step, you must complete the prerequisite steps first.
If this step has already been completed, it's automatically skipped. You can still view it by clicking Enroll in Risk Manager.
Click Enroll.
Verify that the Enroll button is updated to show Enrolled.
Assign IAM roles
Before a user can create, review, share, or send a report, that user must have
the appropriate IAM permissions. You can grant one or more
predefined roles or create and grant custom roles. For example, a principal with
the Risk Manager Report Reviewer role (roles/riskmanager.reportReviewer
)
can access (but not modify) the reports, and approve reports to be sent;
however, they can't create reports.
For more information, including a list of predefined roles for Risk Manager, see Managing access to risk manager.
To add a role, follow these steps:
Console
Go to the IAM page in the Google Cloud console.
Click the project selector drop-down list at the top of the page.
In the Select from dialog that appears, select the organization for which you want to enable Risk Manager.
On the IAM page, next to your username, click
Edit principal.On the Edit permissions pane that appears, add the necessary roles.
Click Add another role. Select a role to add, such as Risk Manager Report Reviewer.
To add more roles, repeat the previous step. Click Save.
gcloud
Run the following command:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member=user:USERNAME --role=roles/ROLE
Replace the following:
ORGANIZATION_ID
: the numeric ID of your organization.USERNAME
: the principal that you want to grant this role to. This must be a member of your organization; for example,test-user@example.com
.ROLE
: the name of the Risk Manager role that you want to grant; for example,riskmanager.admin
.
What's next?
- Learn how to create a report.
- Learn how to remediate findings.
- Learn how to automatically generate reports.