Access control

This page describes how Security Command Center uses Identity and Access Management (IAM) to control access to resources at different levels of your resource hierarchy.

Security Command Center uses IAM roles to let you control who can do what with assets, findings, and security sources in your Security Command Center environment. You grant roles to individuals and applications, and each role provides specific permissions.

Security Command Center Premium supports granting IAM roles at the organization, folder, and project levels. Security Command Center Standard only supports granting roles at the organization level.

Permissions

To set up Security Command Center or change the configuration of your organization, you need both of the following roles at the organization level:

Organization Admin (roles/resourcemanager.organizationAdmin)
Security Center Admin (roles/securitycenter.admin)

If a user doesn't require edit permissions, consider granting them viewer roles. To view all assets, findings, and settings in Security Command Center, users need the Security Center Admin Viewer (roles/securitycenter.adminViewer) role at the organization level.

To restrict access to individual folders and projects, don't grant all roles at the organization level. Instead, grant the following roles at the folder or project level:

Security Center Assets Viewer (roles/securitycenter.assetsViewer)
Security Center Findings Viewer (roles/securitycenter.findingsViewer)

Organization-level roles

When IAM roles are applied at the organization level, projects and folders under an organization inherit its roles and permissions.

The following figure illustrates a typical Security Command Center resource hierarchy with roles granted at the organization level.

Security Command Center resource hierarchy and permission structure — Security Command Center resource hierarchy and organization-level roles (click to enlarge)

IAM roles include permissions to view, edit, update, create, or delete resources. Roles granted at the organization level in Security Command Center let you perform prescribed actions on findings, assets, and security sources throughout your organization. For example, a user granted the Security Center Findings Editor role (roles/securitycenter.findingsEditor) can view or edit findings attached to any resource in any project or folder in your organization. With this structure, you don't have to grant users roles in each folder or project.

For instructions on managing roles and permissions, see Manage access to projects, folders, and organizations.

Organization-level roles are not suitable for all use cases, particularly for sensitive applications or compliance standards that require strict access controls. To create fine-grained access policies, Security Command Center Premium lets you grant roles at the folder and project levels.

Folder and project roles

Security Command Center Premium lets you grant Security Command Center IAM roles for specific folders and projects, creating multiple views, or silos, within your organization. You grant users and groups different access and edit permissions to folders and projects across your organization.

The following video describes Security Command Center Premium's support for folder- and project-level roles and how to manage them in the dashboard.

With folder and project roles, users with Security Command Center roles have the ability to manage assets and findings within designated projects or folders. For example, a security engineer can be given limited access to select folders and projects while a security administrator can manage all resources at the organization level.

Folder and project roles allow Security Command Center permissions to be applied at lower levels of your organization's resource hierarchy, but do not change the hierarchy. The following figure illustrates a user with Security Command Center permissions to access findings in a specific project.

Users with folder and project roles see a subset of an organization's resources. Any actions they take are limited to the same scope. For example, if a user has permissions for a folder, they can access resources in any project in the folder. Permissions for a project gives users access to resources in that project.

For instructions on managing roles and permissions, see Manage access to projects, folders, and organizations.

Role restrictions

By granting Security Command Center roles at the folder or project level, Security Command Center Premium administrators can do the following:

Limit Security Command Center view or edit permissions to specific folders and projects
Grant view and edit permissions for groups of assets or findings to specific users or teams
Restrict the ability to view or edit finding details, including updates to security marks and finding state, to individuals or groups with access to the underlying finding
Control access to Security Command Center settings, which can only be viewed by individuals with organization-level roles

Security Command Center functions

Security Command Center Premium functions are also restricted based on view and edit permissions.

The Security Command Center dashboard lets individuals without organization-level permissions choose resources to which they have access. Their selection updates all elements of the user interface, including assets, findings, and settings controls. Users see the privileges attached to their roles and whether they can access or edit findings at their current scope.

The Security Command Center API and gcloud command-line tool also restrict functions to prescribed folders and projects. If calls to list or group assets and findings are made by users granted folder or project roles, only findings or assets at those scopes are returned.

Calls to create or update findings and finding notifications only support the organization scope. You need organization-level roles to perform these tasks.

Parent resources for findings

Usually, a finding is attached to a resource, like a virtual machine (VM) or firewall. Security Command Center attaches findings to the most immediate container for the resource that generated the finding. For example, if a VM generates a finding, the finding is attached to the project that contains the VM. Findings that are not connected to a Google Cloud resource are attached to the organization and are visible to anyone with organization-level Security Command Center permissions.

IAM roles in Security Command Center

The following is a list of IAM roles available for Security Command Center and the permissions included in them. Security Command Center Premium supports granting these roles at the organization, folder, or project level. Security Command Center Standard only supports granting IAM roles at the organization level.

Role	Permissions
Security Center Admin (`roles/securitycenter.admin`) Admin(super user) access to security center Lowest-level resources where you can grant this role: Project	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.folders.get resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Security Center Admin Editor (`roles/securitycenter.adminEditor`) Admin Read-write access to security center Lowest-level resources where you can grant this role: Project	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.folders.get resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.* securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findings.* securitycenter.findingsecuritymarks.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Admin Read access to security center Lowest-level resources where you can grant this role: Project	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list resourcemanager.folders.get resourcemanager.organizations.get resourcemanager.projects.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Security Center Asset Security Marks Writer (`roles/securitycenter.assetSecurityMarksWriter`) Write access to asset security marks Lowest-level resources where you can grant this role: Project	securitycenter.assetsecuritymarks.* securitycenter.userinterfacemetadata.*
Security Center Assets Discovery Runner (`roles/securitycenter.assetsDiscoveryRunner`) Run asset discovery access to assets Lowest-level resources where you can grant this role: Organization	securitycenter.assets.runDiscovery securitycenter.userinterfacemetadata.*
Security Center Assets Viewer (`roles/securitycenter.assetsViewer`) Read access to assets Lowest-level resources where you can grant this role: Project	resourcemanager.folders.get resourcemanager.organizations.get resourcemanager.projects.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames securitycenter.userinterfacemetadata.*
Security Center Finding Security Marks Writer (`roles/securitycenter.findingSecurityMarksWriter`) Write access to finding security marks Lowest-level resources where you can grant this role: Project	securitycenter.findingsecuritymarks.* securitycenter.userinterfacemetadata.*
Security Center Findings Editor (`roles/securitycenter.findingsEditor`) Read-write access to findings Lowest-level resources where you can grant this role: Project	resourcemanager.folders.get resourcemanager.organizations.get resourcemanager.projects.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.findings.setState securitycenter.findings.update securitycenter.sources.get securitycenter.sources.list securitycenter.userinterfacemetadata.*
Security Center Findings State Setter (`roles/securitycenter.findingsStateSetter`) Set state access to findings Lowest-level resources where you can grant this role: Project	securitycenter.findings.setState securitycenter.userinterfacemetadata.*
Security Center Findings Viewer (`roles/securitycenter.findingsViewer`) Read access to findings Lowest-level resources where you can grant this role: Project	resourcemanager.folders.get resourcemanager.organizations.get resourcemanager.projects.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.sources.get securitycenter.sources.list securitycenter.userinterfacemetadata.*
Security Center Findings Workflow State Setter ^Beta (`roles/securitycenter.findingsWorkflowStateSetter`) Set workflow state access to findings Lowest-level resources where you can grant this role: Project	securitycenter.findings.setWorkflowState securitycenter.userinterfacemetadata.*
Security Center Notification Configurations Editor (`roles/securitycenter.notificationConfigEditor`) Write access to notification configurations Lowest-level resources where you can grant this role: Organization	securitycenter.notificationconfig.* securitycenter.userinterfacemetadata.*
Security Center Notification Configurations Viewer (`roles/securitycenter.notificationConfigViewer`) Read access to notification configurations Lowest-level resources where you can grant this role: Organization	securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.userinterfacemetadata.*
Security Center Settings Admin (`roles/securitycenter.settingsAdmin`) Admin(super user) access to security center settings Lowest-level resources where you can grant this role: Project	securitycenter.containerthreatdetectionsettings.* securitycenter.eventthreatdetectionsettings.* securitycenter.notificationconfig.* securitycenter.organizationsettings.* securitycenter.securitycentersettings.* securitycenter.securityhealthanalyticssettings.* securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.websecurityscannersettings.*
Security Center Settings Editor (`roles/securitycenter.settingsEditor`) Read-Write access to security center settings Lowest-level resources where you can grant this role: Project	securitycenter.containerthreatdetectionsettings.* securitycenter.eventthreatdetectionsettings.* securitycenter.notificationconfig.* securitycenter.organizationsettings.* securitycenter.securitycentersettings.* securitycenter.securityhealthanalyticssettings.* securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.websecurityscannersettings.*
Security Center Settings Viewer (`roles/securitycenter.settingsViewer`) Read access to security center settings Lowest-level resources where you can grant this role: Project	securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get
Security Center Sources Admin (`roles/securitycenter.sourcesAdmin`) Admin access to sources Lowest-level resources where you can grant this role: Organization	resourcemanager.organizations.get securitycenter.sources.* securitycenter.userinterfacemetadata.*
Security Center Sources Editor (`roles/securitycenter.sourcesEditor`) Read-write access to sources Lowest-level resources where you can grant this role: Organization	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.userinterfacemetadata.*
Security Center Sources Viewer (`roles/securitycenter.sourcesViewer`) Read access to sources Lowest-level resources where you can grant this role: Project	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list securitycenter.userinterfacemetadata.*

Role: Security Center Service Agent

When you enable Security Command Center, a service account is created for you in the format of service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com. In order to use Security Command Center, the service account must be granted the securitycenter.serviceAgent role at the organization level. This role enables the Security Command Center service account to create and update its own copy of your organization's asset inventory metadata on an ongoing basis.

You are asked to grant this role to the service account as part of Security Command Center's onboarding process. You can grant all required roles through the onboarding interface or, alternatively, use gcloud to manually grant roles. For instructions on granting roles to the service account, see Grant permissions.

The securitycenter.serviceAgent role includes the following permissions:

Role Title Description Permissions Lowest resource

Role	Title	Description	Permissions	Lowest resource
`roles/securitycenter.serviceAgent`	Security Center Service Agent	Access to scan Google Cloud resources and import security scans	All of the permissions of the following roles: `appengine.appViewer` `cloudasset.viewer` `compute.viewer` `container.viewer` `dlpscanner.policyReader` `dlpscanner.scanReader` `dlp.jobsReader` Plus the following additional permissions: `resourcemanager.folders.list` `resourcemanager.folders.get` `resourcemanager.organizations.list` `resourcemanager.organizations.get` `resourcemanager.projects.list` `resourcemanager.projects.get` `resourcemanager.projects.getIamPolicy` `storage.buckets.get` `storage.buckets.list` `storage.buckets.getIamPolicy`	Organization

roles/securitycenter.serviceAgent

Security Center Service Agent

Access to scan Google Cloud resources and import security scans

All of the permissions of the following roles:

appengine.appViewer
cloudasset.viewer
compute.viewer
container.viewer
dlpscanner.policyReader
dlpscanner.scanReader
dlp.jobsReader

Plus the following additional permissions:

resourcemanager.folders.list
resourcemanager.folders.get
resourcemanager.organizations.list
resourcemanager.organizations.get
resourcemanager.projects.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
storage.buckets.get
storage.buckets.list
storage.buckets.getIamPolicy

Organization

To add roles/securitycenter.serviceAgent, you must have roles/resourcemanager.organizationAdmin. You can add the role to a service account by running:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="serviceAccount:service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com" \
  --role="roles/securitycenter.serviceAgent"

Replace ORGANIZATION_ID with your organization ID.

For more information about IAM roles, see understanding roles.

Web Security Scanner

IAM roles prescribe how you can use Web Security Scanner. The tables below include each IAM role available for Web Security Scanner and the methods available to them. Grant these roles at the project level. To give users the ability to create and manage security scans, you add users to your project and grant them permissions using the roles.

Web Security Scanner supports basic roles and predefined roles that give more granular access to Web Security Scanner resources.

Basic IAM roles

The following describes the Web Security Scanner permissions that are granted by basic roles.

Role	Description
Owner	Full access to all Web Security Scanner resources
Editor	Full access to all Web Security Scanner resources
Viewer	No access to Web Security Scanner

Predefined IAM roles

The following describes the Web Security Scanner permissions that are granted by Web Security Scanner roles.

Role Permissions

Role	Permissions
Web Security Scanner Editor (`roles/cloudsecurityscanner.editor`) Full access to all Web Security Scanner resources Lowest-level resources where you can grant this role: Project	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Web Security Scanner Runner (`roles/cloudsecurityscanner.runner`) Read access to Scan and ScanRun, plus the ability to start scans Lowest-level resources where you can grant this role: Project	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.list cloudsecurityscanner.scanruns.stop cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list cloudsecurityscanner.scans.run
Web Security Scanner Viewer (`roles/cloudsecurityscanner.viewer`) Read access to all Web Security Scanner resources Lowest-level resources where you can grant this role: Project	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Web Security Scanner Editor
(roles/cloudsecurityscanner.editor)

Full access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

Project

appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Web Security Scanner Runner
(roles/cloudsecurityscanner.runner)

Read access to Scan and ScanRun, plus the ability to start scans

Lowest-level resources where you can grant this role:

Project

cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run

Web Security Scanner Viewer
(roles/cloudsecurityscanner.viewer)

Read access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

Project

cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

For more information about IAM roles, see understanding roles.