Configuring Risk Manager

This topic describes how to configure your Google Cloud organization to use Risk Manager for the first time. These steps are prerequisites for most tasks in Risk Manager.

Beginning Risk Manager setup

To generate reports, Risk Manager requires a one-time setup to be completed. This process requires Identity and Access Management (IAM) permissions beyond the scope of Risk Manager, which may only be held by an administrator in your organization.

To begin setup, follow these steps:

Console

  1. Go to the Risk Manager setup page.

    Go to Risk Manager setup

  2. If no organization is selected, follow these steps:

    1. Click Select an organization.
    2. Select your organization in the drop-down menu.
  3. Click Begin Setup. If this button is inactive, obtain the required setup permissions, and then try again.

Required setup permissions

If the Begin Setup button is inactive for you, you are missing the required permissions to begin setup. To proceed, you must either request these permissions from your Google Cloud administrator, or have your Google Cloud administrator perform these steps for you.

The following roles contain the permissions you need to complete the rest of the steps in this guide:

  • Risk Manager Admin
  • Organization Administrator

You can see the required permissions by hovering over the inactive Begin Setup button, but they are also listed here:

Required permission Reference
riskmanager.serviceAccount.create See Risk Manager access control for IAM roles that include this permission. See Assign IAM roles for how to assign Risk Manager roles.
resourcemanager.organizations.getIamPolicy See Access control for organizations for IAM roles that include this permission.
resourcemanager.organizations.setIamPolicy See Access control for organizations for IAM roles that include this permission.

Grant the Risk Manager service account access to your organization

When you begin to set up Risk Manager in the Google Cloud console, a service account is created. Upon creation, this service account has no permissions and cannot perform any actions.

The Risk Manager service account must be granted the Risk Manager service agent role (roles/riskmanager.serviceAgent) in order to read security findings and build reports. This role grant is often referred to as "provisioning" by Risk Manager in the Google Cloud Google Cloud console. For more information about the service agent role, see Risk Manager access control.

To provision the Risk Manager service account, follow these steps:

Console

  1. Go to Risk Manager setup page.

    Go to Risk Manager setup steps

  2. If no organization is selected, follow these steps:

    1. Click Select an organization.
    2. Select your organization in the drop-down menu.
  3. Go to the Provision Service Account step. If this step has already been completed, it's automatically skipped. You can still view it by clicking Provision Service Account.

  4. Click Grant Roles.

  5. Verify that the Grant Roles button is updated to show Roles Granted.

Enroll in Risk Manager

Enrolling in Risk Manager enables any backend services needed for Risk Manager to work.

For enrollment to succeed, the organization must have Security Command Center enabled, with the Security Health Analytics service enabled within Security Command Center. The Security Command Center and Security Health Analytics enablement process is detailed in the Risk Manager onboarding page.

To enroll in Risk Manager, follow these steps:

Console

  1. Go to Risk Manager setup page:

    Go to Risk Manager setup steps

  2. If no organization is selected:

    1. Click Select an organization.
    2. Select your organization in the drop-down menu.
  3. Go to the Enroll in Risk Manager step. If you are unable to go to this step, you must complete the prerequisite steps first.

    If this step has already been completed, it's automatically skipped. You can still view it by clicking Enroll in Risk Manager.

  4. Click Enroll.

  5. Verify that the Enroll button is updated to show Enrolled.

Assign IAM roles

Before a user can create, review, share, or send a report, that user must have the appropriate IAM permissions. You can grant one or more predefined roles or create and grant custom roles. For example, a principal with the Risk Manager Report Reviewer role (roles/riskmanager.reportReviewer) can access (but not modify) the reports, and approve reports to be sent; however, they can't create reports.

For more information, including a list of predefined roles for Risk Manager, see Managing access to risk manager.

To add a role, follow these steps:

Console

  1. Go to the IAM page in the Google Cloud console.

    Go to IAM

  2. Click the project selector drop-down list at the top of the page.

  3. In the Select from dialog that appears, select the organization for which you want to enable Risk Manager.

  4. On the IAM page, next to your username, click Edit principal.

  5. On the Edit permissions pane that appears, add the necessary roles.

    1. Click Add another role. Select a role to add, such as Risk Manager Report Reviewer.

    2. To add more roles, repeat the previous step. Click Save.

gcloud

  1. Install and initialize the Google Cloud CLI.

  2. Run the following command:

    gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
      --member=user:USERNAME --role=roles/ROLE
    

    Replace the following:

    • ORGANIZATION_ID: the numeric ID of your organization.

    • USERNAME: the principal that you want to grant this role to. This must be a member of your organization; for example, test-user@example.com.

    • ROLE: the name of the Risk Manager role that you want to grant; for example, riskmanager.admin.

What's next?