This page describes how Security Command Center uses Identity and Access Management (IAM) to control access to resources at different levels of your resource hierarchy.
Security Command Center uses IAM roles to let you control who can do what with assets, findings, and security sources in your Security Command Center environment. You grant roles to individuals and applications, and each role provides specific permissions.
Security Command Center Premium supports granting IAM roles at the organization, folder, and project levels. Security Command Center Standard only supports granting roles at the organization level.
Permissions
To set up Security Command Center or change the configuration of your organization, you need both of the following roles at the organization level:
- Organization Admin (
roles/resourcemanager.organizationAdmin
) - Security Center Admin (
roles/securitycenter.admin
)
If a user doesn't require edit permissions, consider granting them viewer
roles. To view all assets and findings in Security Command Center, users
need the Security Center Admin Viewer (roles/securitycenter.adminViewer
)
role at the organization level. Users who also need to view settings
need the Security Center Admin (roles/securitycenter.admin
) role at the
organization level.
To restrict access to individual folders and projects, don't grant all roles at the organization level. Instead, grant the following roles at the folder or project level:
- Security Center Assets Viewer (
roles/securitycenter.assetsViewer
) - Security Center Findings Viewer (
roles/securitycenter.findingsViewer
)
Organization-level roles
When IAM roles are applied at the organization level, projects and folders under an organization inherit its roles and permissions.
The following figure illustrates a typical Security Command Center resource hierarchy with roles granted at the organization level.

IAM roles include permissions to view, edit, update, create, or
delete resources. Roles granted at the organization level in Security Command Center
let you perform prescribed actions on findings, assets, and security sources
throughout your organization. For example, a user granted the Security Center
Findings Editor role (roles/securitycenter.findingsEditor
) can view or edit
findings attached to any resource in any project or folder in your organization.
With this structure, you don't have to grant users roles in each folder or
project.
For instructions on managing roles and permissions, see Manage access to projects, folders, and organizations.
Organization-level roles are not suitable for all use cases, particularly for sensitive applications or compliance standards that require strict access controls. To create fine-grained access policies, Security Command Center Premium lets you grant roles at the folder and project levels.
Folder and project roles
Security Command Center Premium lets you grant Security Command Center IAM roles for specific folders and projects, creating multiple views, or silos, within your organization. You grant users and groups different access and edit permissions to folders and projects across your organization.
The following video describes Security Command Center Premium's support for folder- and project-level roles and how to manage them in the dashboard.
With folder and project roles, users with Security Command Center roles have the ability to manage assets and findings within designated projects or folders. For example, a security engineer can be given limited access to select folders and projects while a security administrator can manage all resources at the organization level.
Folder and project roles allow Security Command Center permissions to be applied at lower levels of your organization's resource hierarchy, but do not change the hierarchy. The following figure illustrates a user with Security Command Center permissions to access findings in a specific project.

Users with folder and project roles see a subset of an organization's resources. Any actions they take are limited to the same scope. For example, if a user has permissions for a folder, they can access resources in any project in the folder. Permissions for a project gives users access to resources in that project.
For instructions on managing roles and permissions, see Manage access to projects, folders, and organizations.
Role restrictions
By granting Security Command Center roles at the folder or project level, Security Command Center Premium administrators can do the following:
- Limit Security Command Center view or edit permissions to specific folders and projects
- Grant view and edit permissions for groups of assets or findings to specific users or teams
- Restrict the ability to view or edit finding details, including updates to security marks and finding state, to individuals or groups with access to the underlying finding
- Control access to Security Command Center settings, which can only be viewed by individuals with organization-level roles
Security Command Center functions
Security Command Center Premium functions are also restricted based on view and edit permissions.
The Security Command Center dashboard lets individuals without organization-level permissions choose resources to which they have access. Their selection updates all elements of the user interface, including assets, findings, and settings controls. Users see the privileges attached to their roles and whether they can access or edit findings at their current scope.
The Security Command Center API and Google Cloud CLI also restrict functions to prescribed folders and projects. If calls to list or group assets and findings are made by users granted folder or project roles, only findings or assets at those scopes are returned.
Calls to create or update findings and finding notifications only support the organization scope. You need organization-level roles to perform these tasks.
Parent resources for findings
Usually, a finding is attached to a resource, like a virtual machine (VM) or firewall. Security Command Center attaches findings to the most immediate container for the resource that generated the finding. For example, if a VM generates a finding, the finding is attached to the project that contains the VM. Findings that are not connected to a Google Cloud resource are attached to the organization and are visible to anyone with organization-level Security Command Center permissions.
IAM roles in Security Command Center
The following is a list of IAM roles available for Security Command Center and the permissions included in them. Security Command Center Premium supports granting these roles at the organization, folder, or project level. Security Command Center Standard only supports granting IAM roles at the organization level.
Role | Permissions |
---|---|
Security Center Admin
Admin(super user) access to security center Lowest-level resources where you can grant this role:
|
|
Security Center Admin Editor
Admin Read-write access to security center Lowest-level resources where you can grant this role:
|
|
Security Center Admin Viewer
Admin Read access to security center Lowest-level resources where you can grant this role:
|
|
Security Center Asset Security Marks Writer
Write access to asset security marks Lowest-level resources where you can grant this role:
|
|
Security Center Assets Discovery Runner
Run asset discovery access to assets Lowest-level resources where you can grant this role:
|
|
Security Center Assets Viewer
Read access to assets Lowest-level resources where you can grant this role:
|
|
Security Center BigQuery Exports Editor
Read-Write access to security center BigQuery Exports |
|
Security Center BigQuery Exports Viewer
Read access to security center BigQuery Exports |
|
Security Center External Systems Editor
Write access to security center external systems |
|
Security Center Finding Security Marks Writer
Write access to finding security marks Lowest-level resources where you can grant this role:
|
|
Security Center Findings Bulk Mute Editor
Ability to mute findings in bulk |
|
Security Center Findings Editor
Read-write access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Findings Mute Setter
Set mute access to findings |
|
Security Center Findings State Setter
Set state access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Findings Viewer
Read access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Findings Workflow State Setter
Beta
Set workflow state access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Mute Configurations Editor
Read-Write access to security center mute configurations |
|
Security Center Mute Configurations Viewer
Read access to security center mute configurations |
|
Security Center Notification Configurations Editor
Write access to notification configurations Lowest-level resources where you can grant this role:
|
|
Security Center Notification Configurations Viewer
Read access to notification configurations Lowest-level resources where you can grant this role:
|
|
Security Center Settings Admin
Admin(super user) access to security center settings Lowest-level resources where you can grant this role:
|
|
Security Center Settings Editor
Read-Write access to security center settings Lowest-level resources where you can grant this role:
|
|
Security Center Settings Viewer
Read access to security center settings Lowest-level resources where you can grant this role:
|
|
Security Center Sources Admin
Admin access to sources Lowest-level resources where you can grant this role:
|
|
Security Center Sources Editor
Read-write access to sources Lowest-level resources where you can grant this role:
|
|
Security Center Sources Viewer
Read access to sources Lowest-level resources where you can grant this role:
|
|
Role: Security Center Service Agent
When you enable Security Command Center, a service account is created for you in
the format of
service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com
.
In order to use Security Command Center, the service account must be granted the
securitycenter.serviceAgent
role at the organization level. This role enables
the Security Command Center service account to create and update its own copy of your
organization's asset inventory metadata on an ongoing basis.
You are asked to grant this role to the service account as part of Security Command Center's onboarding process. You can grant all required roles through the onboarding interface or, alternatively, use gcloud to manually grant roles. For instructions on granting roles to the service account, see Grant permissions.
The securitycenter.serviceAgent
role includes the following permissions:
Role | Title | Description | Permissions | Lowest resource |
---|---|---|---|---|
roles/securitycenter.serviceAgent |
Security Center Service Agent | Access to scan Google Cloud resources and import security scans |
All of the permissions of the following roles:
Plus the following additional permissions:
|
Organization |
To add roles/securitycenter.serviceAgent
, you must have
roles/resourcemanager.organizationAdmin
. You can add the role to a service
account by running:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member="serviceAccount:service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com" \
--role="roles/securitycenter.serviceAgent"
Replace ORGANIZATION_ID with your organization ID.
For more information about IAM roles, see understanding roles.
Web Security Scanner
IAM roles prescribe how you can use Web Security Scanner. The tables below include each IAM role available for Web Security Scanner and the methods available to them. Grant these roles at the project level. To give users the ability to create and manage security scans, you add users to your project and grant them permissions using the roles.
Web Security Scanner supports basic roles and predefined roles that give more granular access to Web Security Scanner resources.
Basic IAM roles
The following describes the Web Security Scanner permissions that are granted by basic roles.
Role | Description |
---|---|
Owner | Full access to all Web Security Scanner resources |
Editor | Full access to all Web Security Scanner resources |
Viewer | No access to Web Security Scanner |
Predefined IAM roles
The following describes the Web Security Scanner permissions that are granted by Web Security Scanner roles.
Role | Permissions |
---|---|
Web Security Scanner Editor
Full access to all Web Security Scanner resources Lowest-level resources where you can grant this role:
|
|
Web Security Scanner Runner
Read access to Scan and ScanRun, plus the ability to start scans Lowest-level resources where you can grant this role:
|
|
Web Security Scanner Viewer
Read access to all Web Security Scanner resources Lowest-level resources where you can grant this role:
|
|
For more information about IAM roles, see understanding roles.