>

Access control

Cloud Identity and Access Management (Cloud IAM) roles prescribe how you can use the Cloud Security Command Center (Cloud SCC) API. Below is a list of each Cloud IAM role available for Cloud SCC and the methods available to them. Apply these roles at the organization level.

Security Center Roles

Role Title Description Permissions Lowest Resource
roles/
securitycenter.admin		 Security Center Admin Beta Admin(super user) access to security center resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.assets.runDiscovery
securitycenter.assetsecuritymarks.*
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.update
securitycenter.findingsecuritymarks.*
securitycenter.organizationsettings.*
securitycenter.sources.*
 Organization
roles/
securitycenter.adminEditor		 Security Center Admin Editor Beta Admin Read-write access to security center resourcemanager.organizations.get
securitycenter.assets.runDiscovery
securitycenter.assetsecuritymarks.*
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.update
securitycenter.findingsecuritymarks.*
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
 Organization
roles/
securitycenter.adminViewer		 Security Center Admin Viewer Beta Admin Read access to security center resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
 Organization
roles/
securitycenter.assetSecurityMarksWriter		 Security Center Asset Security Marks Writer Beta Write access to asset security marks securitycenter.assetsecuritymarks.*
 Organization
roles/
securitycenter.assetsDiscoveryRunner		 Security Center Assets Discovery Runner Beta Run asset discovery access to assets securitycenter.assets.runDiscovery
 Organization
roles/
securitycenter.assetsViewer		 Security Center Assets Viewer Beta Read access to assets resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
 Organization
roles/
securitycenter.editor		 Security Center Editor Beta Read-write access to assets, configs, notification streams, and marks, readonly access to scans resourcemanager.organizations.get
securitycenter.assets.get
securitycenter.assets.getFieldNames
securitycenter.assets.list
securitycenter.assets.triggerDiscovery
securitycenter.assets.update
securitycenter.configs.get
securitycenter.configs.getIamPolicy
securitycenter.configs.update
securitycenter.scans.*
 Organization
roles/
securitycenter.findingSecurityMarksWriter		 Security Center Finding Security Marks Writer Beta Write access to finding security marks securitycenter.findingsecuritymarks.*
 Organization
roles/
securitycenter.findingsEditor		 Security Center Findings Editor Beta Read-write access to findings resourcemanager.organizations.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.update
securitycenter.sources.get
securitycenter.sources.list
 Organization
roles/
securitycenter.findingsStateSetter		 Security Center Findings State Setter Beta Set state access to findings securitycenter.findings.setState
 Organization
roles/
securitycenter.findingsViewer		 Security Center Findings Viewer Beta Read access to findings resourcemanager.organizations.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
 Organization
roles/
securitycenter.sourcesAdmin		 Security Center Sources Admin Beta Admin access to sources resourcemanager.organizations.get
securitycenter.sources.*
 Organization
roles/
securitycenter.sourcesEditor		 Security Center Sources Editor Beta Read-write access to sources resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
 Organization
roles/
securitycenter.sourcesViewer		 Security Center Sources Viewer Beta Read access to sources resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
 Organization
roles/
securitycenter.viewer		 Security Center Viewer Beta Read access to assets, configs, notification streams, scans, and marks resourcemanager.organizations.get
securitycenter.assets.get
securitycenter.assets.getFieldNames
securitycenter.assets.list
securitycenter.configs.get
securitycenter.configs.getIamPolicy
securitycenter.scans.*
 Organization

Role: Security Center Service Agent

When you enable Cloud SCC, a service account is created for you. That service account is automatically granted the securitycenter.serviceAgent role. This role enables Cloud SCC to create and update its own copy of your organization's asset inventory metadata on an ongoing basis. This is an internal role that includes the following permissions:

Role Title Description Methods Allowed
securitycenter.serviceAgent Access to scan Google Cloud Platform (GCP) resources and import security scans Security Center Service Agent

All of the permissions of the following roles:

  • appengine.appViewer
  • cloudasset.viewer
  • compute.viewer
  • container.viewer
  • dlpscanner.policyReader
  • dlpscanner.scanReader
  • dlp.jobsReader

Plus the following additional permissions:

  • resourcemanager.folders.list
  • resourcemanager.folders.get
  • resourcemanager.organizations.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • storage.buckets.get
  • storage.buckets.list
  • storage.buckets.getIamPolicy

For more information about Cloud IAM roles, see understanding roles.

Was this page helpful? Let us know how we did:

Send feedback about...

This page
Documentation feedback
Cloud Security Command Center
Product feedback
Need help? Visit our support page.