This page describes how Security Command Center uses Identity and Access Management (IAM) to control access to resources at different levels of your resource hierarchy.
Security Command Center uses IAM roles to let you control who can do what with assets, findings, and security sources in your Security Command Center environment. You grant roles to individuals and applications, and each role provides specific permissions.
Security Command Center Premium supports granting IAM roles at the organization, folder, and project levels. Security Command Center Standard only supports granting roles at the organization level.
Permissions
To set up Security Command Center or change the configuration of your organization, you need both of the following roles at the organization level:
- Organization Admin (
roles/resourcemanager.organizationAdmin) - Security Center Admin (
roles/securitycenter.admin)
If a user doesn't require edit permissions, consider granting them viewer roles. To view all assets, findings, and settings in Security Command Center, users need both of the following roles at the organization level:
- Security Center Admin Viewer (
roles/securitycenter.adminViewer) - Organization Viewer (
roles/resourcemanager.organizationViewer)
To restrict access to individual folders and projects, don't grant all roles at
the organization level. Instead, grant
roles/resourcemanager.organizationViewer at the organization level and the
following roles at the folder or project level:
- Browser (
roles/browser) - Security Center Assets Viewer (
roles/securitycenter.assetsViewer) - Security Center Findings Viewer (
roles/securitycenter.findingsViewer)
Organization-level roles
When IAM roles are applied at the organization level, projects and folders under an organization inherit its roles and permissions.
The following figure illustrates a typical Security Command Center resource hierarchy with roles granted at the organization level.
IAM roles include permissions to view, edit, update, create, or
delete resources. Roles granted at the organization level in Security Command Center
let you perform prescribed actions on findings, assets, and security sources
throughout your organization. For example, a user granted the Security Center
Findings Editor role (roles/securitycenter.findingsEditor) can view or edit
findings attached to any resource in any project or folder in your organization.
With this structure, you don't have to grant users roles in each folder or
project.
For instructions on managing roles and permissions, see Manage access to projects, folders, and organizations.
Organization-level roles are not suitable for all use cases, particularly for sensitive applications or compliance standards that require strict access controls. To create fine-grained access policies, Security Command Center Premium lets you grant roles at the folder and project levels.
Folder and project roles
Security Command Center Premium lets you grant Security Command Center IAM roles for specific folders and projects, creating multiple views, or silos, within your organization. You grant users and groups different access and edit permissions to folders and projects across your organization.
The following video describes Security Command Center Premium's support for folder- and project-level roles and how to manage them in the dashboard.
With folder and project roles, users with Security Command Center roles have the ability to manage assets and findings within designated projects or folders. For example, a security engineer can be given limited access to select folders and projects while a security administrator can manage all resources at the organization level.
Folder and project roles allow Security Command Center permissions to be applied at lower levels of your organization's resource hierarchy, but do not change the hierarchy. The following figure illustrates a user with Security Command Center permissions to access findings in a specific project.
Users with folder and project roles see a subset of an organization's resources. Any actions they take are limited to the same scope. For example, if a user has permissions for a folder, they can access resources in any project in the folder. Permissions for a project gives users access to resources in that project.
For instructions on managing roles and permissions, see Manage access to projects, folders, and organizations.
Role restrictions
By granting Security Command Center roles at the folder or project level, Security Command Center Premium administrators can do the following:
- Limit Security Command Center view or edit permissions to specific folders and projects
- Grant view and edit permissions for groups of assets or findings to specific users or teams
- Restrict the ability to view or edit finding details, including updates to security marks and finding state, to individuals or groups with access to the underlying finding
- Control access to Security Command Center settings, which can only be viewed by individuals with organization-level roles
Security Command Center functions
Security Command Center Premium functions are also restricted based on view and edit permissions.
The Security Command Center dashboard lets individuals without organization-level permissions choose resources to which they have access. Their selection updates all elements of the user interface, including assets, findings, and settings controls. Users see the privileges attached to their roles and whether they can access or edit findings at their current scope.
The Security Command Center API and gcloud command-line tool also restrict
functions to prescribed folders and projects. If calls to list or group assets
and findings are made by users granted folder or project roles, only findings or
assets at those scopes are returned.
Calls to create or update findings and finding notifications only support the organization scope. You need organization-level roles to perform these tasks.
Parent resources for findings
Usually, a finding is attached to a resource, like a virtual machine (VM) or firewall. Security Command Center attaches findings to the most immediate container for the resource that generated the finding. For example, if a VM generates a finding, the finding is attached to the project that contains the VM. Findings that are not connected to a Google Cloud resource are attached to the organization and are visible to anyone with organization-level Security Command Center permissions.
IAM roles in Security Command Center
The following is a list of IAM roles available for Security Command Center and the permissions included in them. Security Command Center Premium supports granting these roles at the organization, folder, or project level. Security Command Center Standard only supports granting IAM roles at the organization level.
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Security Center Admin | Admin(super user) access to security center |
|
Project |
roles/ |
Security Center Admin Editor | Admin Read-write access to security center |
|
Project |
roles/ |
Security Center Admin Viewer | Admin Read access to security center |
|
Project |
roles/ |
Security Center Asset Security Marks Writer | Write access to asset security marks |
|
Project |
roles/ |
Security Center Assets Discovery Runner | Run asset discovery access to assets |
|
Organization |
roles/ |
Security Center Assets Viewer | Read access to assets |
|
Project |
roles/ |
Security Center Finding Security Marks Writer | Write access to finding security marks |
|
Project |
roles/ |
Security Center Findings Editor | Read-write access to findings |
|
Project |
roles/ |
Security Center Findings State Setter | Set state access to findings |
|
Project |
roles/ |
Security Center Findings Viewer | Read access to findings |
|
Project |
roles/ |
Security Center Findings Workflow State Setter Beta | Set workflow state access to findings |
|
Project |
roles/ |
Security Center Notification Configurations Editor | Write access to notification configurations |
|
Organization |
roles/ |
Security Center Notification Configurations Viewer | Read access to notification configurations |
|
Organization |
roles/ |
Security Center Settings Admin | Admin(super user) access to security center settings |
|
Project |
roles/ |
Security Center Settings Editor | Read-Write access to security center settings |
|
Project |
roles/ |
Security Center Settings Viewer | Read access to security center settings |
|
Project |
roles/ |
Security Center Sources Admin | Admin access to sources |
|
Organization |
roles/ |
Security Center Sources Editor | Read-write access to sources |
|
Organization |
roles/ |
Security Center Sources Viewer | Read access to sources |
|
Project |
Role: Security Center Service Agent
When you enable Security Command Center, a service account is created for you in
the format of
service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com.
In order to use Security Command Center, the service account must be granted the
securitycenter.serviceAgent role at the organization level. This role enables
the Security Command Center service account to create and update its own copy of your
organization's asset inventory metadata on an ongoing basis.
You are asked to grant this role to the service account as part of Security Command Center's onboarding process. You can grant all required roles through the onboarding interface or, alternatively, use gcloud to manually grant roles. For instructions on granting roles to the service account, see Grant permissions.
The securitycenter.serviceAgent role includes the following permissions:
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/securitycenter.serviceAgent |
Security Center Service Agent | Access to scan Google Cloud resources and import security scans |
All of the permissions of the following roles:
Plus the following additional permissions:
|
Organization |
To add roles/securitycenter.serviceAgent, you must have
roles/resourcemanager.organizationAdmin. You can add the role to a service
account by running:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member="serviceAccount:service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com" \
--role="roles/securitycenter.serviceAgent"
Replace ORGANIZATION_ID with your organization ID.
For more information about IAM roles, see understanding roles.
Web Security Scanner
IAM roles prescribe how you can use Web Security Scanner. The tables below include each IAM role available for Web Security Scanner and the methods available to them. Grant these roles at the project level. To give users the ability to create and manage security scans, you add users to your project and grant them permissions using the roles.
Web Security Scanner supports basic roles and predefined roles that give more granular access to Web Security Scanner resources.
Basic IAM roles
The following describes the Web Security Scanner permissions that are granted by basic roles.
| Role | Description |
|---|---|
| Owner | Full access to all Web Security Scanner resources |
| Editor | Full access to all Web Security Scanner resources |
| Viewer | No access to Web Security Scanner |
Predefined IAM roles
The following describes the Web Security Scanner permissions that are granted by Web Security Scanner roles.
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Web Security Scanner Editor | Full access to all Web Security Scanner resources |
|
Project |
roles/ |
Web Security Scanner Runner | Read access to Scan and ScanRun, plus the ability to start scans |
|
Project |
roles/ |
Web Security Scanner Viewer | Read access to all Web Security Scanner resources |
|
Project |
For more information about IAM roles, see understanding roles.