Access control

Security Command Center

Cloud Identity and Access Management (Cloud IAM) roles prescribe how you can use the Security Command Center API. Following is a list of each Cloud IAM role available for Security Command Center and the methods available to them. Apply these roles at the organization level.

Role Title Description Permissions Lowest resource
roles/securitycenter.admin Security Center Admin Admin(super user) access to security center
  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • securitycenter.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Organization
roles/securitycenter.adminEditor Security Center Admin Editor Admin Read-write access to security center
  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • securitycenter.assets.*
  • securitycenter.assetsecuritymarks.*
  • securitycenter.findings.*
  • securitycenter.findingsecuritymarks.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Organization
roles/securitycenter.adminViewer Security Center Admin Viewer Admin Read access to security center
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.results.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • resourcemanager.organizations.get
  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.organizationsettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Organization
roles/securitycenter.assetSecurityMarksWriter Security Center Asset Security Marks Writer Write access to asset security marks
  • securitycenter.assetsecuritymarks.*
Organization
roles/securitycenter.assetsDiscoveryRunner Security Center Assets Discovery Runner Run asset discovery access to assets
  • securitycenter.assets.runDiscovery
Organization
roles/securitycenter.assetsViewer Security Center Assets Viewer Read access to assets
  • resourcemanager.organizations.get
  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
Organization
roles/securitycenter.findingSecurityMarksWriter Security Center Finding Security Marks Writer Write access to finding security marks
  • securitycenter.findingsecuritymarks.*
Organization
roles/securitycenter.findingsEditor Security Center Findings Editor Read-write access to findings
  • resourcemanager.organizations.get
  • securitycenter.findings.*
  • securitycenter.sources.get
  • securitycenter.sources.list
Organization
roles/securitycenter.findingsStateSetter Security Center Findings State Setter Set state access to findings
  • securitycenter.findings.setState
Organization
roles/securitycenter.findingsViewer Security Center Findings Viewer Read access to findings
  • resourcemanager.organizations.get
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.sources.get
  • securitycenter.sources.list
Organization
roles/securitycenter.notificationConfigEditor Security Center Notification Configurations Editor Write access to notification configurations
  • securitycenter.notificationconfig.*
roles/securitycenter.notificationConfigViewer Security Center Notification Configurations Viewer Read access to notification configurations
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
roles/securitycenter.sourcesAdmin Security Center Sources Admin Admin access to sources
  • resourcemanager.organizations.get
  • securitycenter.sources.*
Organization
roles/securitycenter.sourcesEditor Security Center Sources Editor Read-write access to sources
  • resourcemanager.organizations.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
Organization
roles/securitycenter.sourcesViewer Security Center Sources Viewer Read access to sources
  • resourcemanager.organizations.get
  • securitycenter.sources.get
  • securitycenter.sources.list
Organization

Role: Security Center Service Agent

When you enable Security Command Center, a service account is created for you in the format of service-org-organization-id@security-center-api.iam.gserviceaccount.com. This service account is automatically granted the securitycenter.serviceAgent role at the organization level. This role enables the Security Command Center service account to create and update its own copy of your organization's asset inventory metadata on an ongoing basis.

This securitycenter.serviceAgent role is an internal role that includes the following permissions:

Role Title Description Permissions Lowest resource
roles/securitycenter.serviceAgent Security Center Service Agent Access to scan Google Cloud resources and import security scans

All of the permissions of the following roles:

  • appengine.appViewer
  • cloudasset.viewer
  • compute.viewer
  • container.viewer
  • dlpscanner.policyReader
  • dlpscanner.scanReader
  • dlp.jobsReader

Plus the following additional permissions:

  • resourcemanager.folders.list
  • resourcemanager.folders.get
  • resourcemanager.organizations.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • storage.buckets.get
  • storage.buckets.list
  • storage.buckets.getIamPolicy
Organization

To add roles/securitycenter.serviceAgent, you must have roles/resourcemanager.organizationAdmin. You can add the role to a service account by running:

gcloud organizations add-iam-policy-binding organization-id \
  --member="serviceAccount:service-org-organization-id@security-center-api.iam.gserviceaccount.com" \
  --role="roles/securitycenter.serviceAgent"

For more information about Cloud IAM roles, see understanding roles.

Event Threat Detection

Cloud Identity and Access Management (Cloud IAM) roles prescribe how you can use the Event Threat Detection API. Below is a list of each Cloud IAM role available for Event Threat Detection and the methods available to them. Apply these roles at the organization level.

Role Title Description Permissions Lowest resource
roles/threatdetection.editor Threat Detection Settings Editor Beta Read-write access to all Threat Detection settings
  • threatdetection.*
Organization
roles/threatdetection.viewer Threat Detection Settings Viewer Beta Read access to all Threat Detection settings
  • threatdetection.detectorSettings.get
  • threatdetection.sinkSettings.get
  • threatdetection.sourceSettings.get
Organization

Web Security Scanner

Cloud Identity and Access Management (Cloud IAM) roles prescribe how you can use Web Security Scanner. The tables below include each Cloud IAM role available for Web Security Scanner and the methods available to them. Grant these roles at the project level. To give users the ability to create and manage security scans, you add users to your project and grant them permissions using the roles.

Web Security Scanner supports primitive roles and predefined roles that give more granular access to Web Security Scanner resources.

Primitive Cloud IAM roles

The following describes the Web Security Scanner permissions that are granted by primitive roles.

Role Description
Owner Full access to all Web Security Scanner resources
Editor Full access to all Web Security Scanner resources
Viewer No access to Web Security Scanner

Predefined Cloud IAM roles

The following describes the Web Security Scanner permissions that are granted by Web Security Scanner roles.

Role Title Description Permissions Lowest resource
roles/cloudsecurityscanner.editor Web Security Scanner Editor Full access to all Web Security Scanner resources
  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project
roles/cloudsecurityscanner.runner Web Security Scanner Runner Read access to Scan and ScanRun, plus the ability to start scans
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
Project
roles/cloudsecurityscanner.viewer Web Security Scanner Viewer Read access to all Web Security Scanner resources
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.results.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project

For more information about Cloud IAM roles, see understanding roles.