Access control

Security Command Center

Identity and Access Management (IAM) roles prescribe how you can use the Security Command Center API. Following is a list of each IAM role available for Security Command Center and the methods available to them. Apply these roles at the organization level.

Role	Title	Description	Permissions	Lowest resource
`roles/securitycenter.admin`	Security Center Admin	Admin(super user) access to security center	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Organization
`roles/securitycenter.adminEditor`	Security Center Admin Editor	Admin Read-write access to security center	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.* securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findings.* securitycenter.findingsecuritymarks.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Organization
`roles/securitycenter.adminViewer`	Security Center Admin Viewer	Admin Read access to security center	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list resourcemanager.organizations.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Organization
`roles/securitycenter.assetSecurityMarksWriter`	Security Center Asset Security Marks Writer	Write access to asset security marks	securitycenter.assetsecuritymarks.* securitycenter.userinterfacemetadata.*	Organization
`roles/securitycenter.assetsDiscoveryRunner`	Security Center Assets Discovery Runner	Run asset discovery access to assets	securitycenter.assets.runDiscovery securitycenter.userinterfacemetadata.*	Organization
`roles/securitycenter.assetsViewer`	Security Center Assets Viewer	Read access to assets	resourcemanager.organizations.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames securitycenter.userinterfacemetadata.*	Organization
`roles/securitycenter.findingSecurityMarksWriter`	Security Center Finding Security Marks Writer	Write access to finding security marks	securitycenter.findingsecuritymarks.* securitycenter.userinterfacemetadata.*	Organization
`roles/securitycenter.findingsEditor`	Security Center Findings Editor	Read-write access to findings	resourcemanager.organizations.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.findings.setState securitycenter.findings.update securitycenter.sources.get securitycenter.sources.list securitycenter.userinterfacemetadata.*	Organization
`roles/securitycenter.findingsStateSetter`	Security Center Findings State Setter	Set state access to findings	securitycenter.findings.setState securitycenter.userinterfacemetadata.*	Organization
`roles/securitycenter.findingsViewer`	Security Center Findings Viewer	Read access to findings	resourcemanager.organizations.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.sources.get securitycenter.sources.list securitycenter.userinterfacemetadata.*	Organization
`roles/securitycenter.findingsWorkflowStateSetter`	Security Center Findings Workflow State Setter ^Beta	Set workflow state access to findings	securitycenter.findings.setWorkflowState securitycenter.userinterfacemetadata.*
`roles/securitycenter.notificationConfigEditor`	Security Center Notification Configurations Editor	Write access to notification configurations	securitycenter.notificationconfig.* securitycenter.userinterfacemetadata.*
`roles/securitycenter.notificationConfigViewer`	Security Center Notification Configurations Viewer	Read access to notification configurations	securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.userinterfacemetadata.*
`roles/securitycenter.settingsAdmin`	Security Center Settings Admin	Admin(super user) access to security center settings	securitycenter.containerthreatdetectionsettings.* securitycenter.eventthreatdetectionsettings.* securitycenter.notificationconfig.* securitycenter.organizationsettings.* securitycenter.securitycentersettings.* securitycenter.securityhealthanalyticssettings.* securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.websecurityscannersettings.*
`roles/securitycenter.settingsEditor`	Security Center Settings Editor	Read-Write access to security center settings	securitycenter.containerthreatdetectionsettings.* securitycenter.eventthreatdetectionsettings.* securitycenter.notificationconfig.* securitycenter.organizationsettings.* securitycenter.securitycentersettings.* securitycenter.securityhealthanalyticssettings.* securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.websecurityscannersettings.*
`roles/securitycenter.settingsViewer`	Security Center Settings Viewer	Read access to security center settings	securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get
`roles/securitycenter.sourcesAdmin`	Security Center Sources Admin	Admin access to sources	resourcemanager.organizations.get securitycenter.sources.* securitycenter.userinterfacemetadata.*	Organization
`roles/securitycenter.sourcesEditor`	Security Center Sources Editor	Read-write access to sources	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.userinterfacemetadata.*	Organization
`roles/securitycenter.sourcesViewer`	Security Center Sources Viewer	Read access to sources	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list securitycenter.userinterfacemetadata.*	Organization

Role: Security Center Service Agent

When you enable Security Command Center, a service account is created for you in the format of service-org-organization-id@security-center-api.iam.gserviceaccount.com. In order to use Security Command Center, the service account must be granted the securitycenter.serviceAgent role at the organization level. This role enables the Security Command Center service account to create and update its own copy of your organization's asset inventory metadata on an ongoing basis.

You are asked to grant this role to the service account as part of Security Command Center's onboarding process. You can grant all required roles through the onboarding interface or, alternatively, use gcloud to manually grant roles. For instructions on granting roles to the service account, see Grant permissions.

This securitycenter.serviceAgent role is an internal role that includes the following permissions:

Role Title Description Permissions Lowest resource

Role	Title	Description	Permissions	Lowest resource
`roles/securitycenter.serviceAgent`	Security Center Service Agent	Access to scan Google Cloud resources and import security scans	All of the permissions of the following roles: `appengine.appViewer` `cloudasset.viewer` `compute.viewer` `container.viewer` `dlpscanner.policyReader` `dlpscanner.scanReader` `dlp.jobsReader` Plus the following additional permissions: `resourcemanager.folders.list` `resourcemanager.folders.get` `resourcemanager.organizations.list` `resourcemanager.organizations.get` `resourcemanager.projects.list` `resourcemanager.projects.get` `resourcemanager.projects.getIamPolicy` `storage.buckets.get` `storage.buckets.list` `storage.buckets.getIamPolicy`	Organization

roles/securitycenter.serviceAgent

Security Center Service Agent

Access to scan Google Cloud resources and import security scans

All of the permissions of the following roles:

appengine.appViewer
cloudasset.viewer
compute.viewer
container.viewer
dlpscanner.policyReader
dlpscanner.scanReader
dlp.jobsReader

Plus the following additional permissions:

resourcemanager.folders.list
resourcemanager.folders.get
resourcemanager.organizations.list
resourcemanager.organizations.get
resourcemanager.projects.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
storage.buckets.get
storage.buckets.list
storage.buckets.getIamPolicy

Organization

To add roles/securitycenter.serviceAgent, you must have roles/resourcemanager.organizationAdmin. You can add the role to a service account by running:

gcloud organizations add-iam-policy-binding organization-id \
  --member="serviceAccount:service-org-organization-id@security-center-api.iam.gserviceaccount.com" \
  --role="roles/securitycenter.serviceAgent"

For more information about IAM roles, see understanding roles.

Event Threat Detection

Identity and Access Management (IAM) roles prescribe how you can use the Event Threat Detection API. Below is a list of each IAM role available for Event Threat Detection and the methods available to them. Apply these roles at the organization level.

Role	Title	Description	Permissions	Lowest resource
`roles/threatdetection.editor`	Threat Detection Settings Editor ^Beta	Read-write access to all Threat Detection settings	threatdetection.*	Organization
`roles/threatdetection.viewer`	Threat Detection Settings Viewer ^Beta	Read access to all Threat Detection settings	threatdetection.detectorSettings.get threatdetection.sinkSettings.get threatdetection.sourceSettings.get	Organization

Web Security Scanner

Identity and Access Management (IAM) roles prescribe how you can use Web Security Scanner. The tables below include each IAM role available for Web Security Scanner and the methods available to them. Grant these roles at the project level. To give users the ability to create and manage security scans, you add users to your project and grant them permissions using the roles.

Web Security Scanner supports basic roles and predefined roles that give more granular access to Web Security Scanner resources.

Basic IAM roles

The following describes the Web Security Scanner permissions that are granted by basic roles.

Role	Description
Owner	Full access to all Web Security Scanner resources
Editor	Full access to all Web Security Scanner resources
Viewer	No access to Web Security Scanner

Predefined IAM roles

The following describes the Web Security Scanner permissions that are granted by Web Security Scanner roles.

Role	Title	Description	Permissions	Lowest resource
`roles/cloudsecurityscanner.editor`	Web Security Scanner Editor	Full access to all Web Security Scanner resources	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/cloudsecurityscanner.runner`	Web Security Scanner Runner	Read access to Scan and ScanRun, plus the ability to start scans	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.list cloudsecurityscanner.scanruns.stop cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list cloudsecurityscanner.scans.run	Project
`roles/cloudsecurityscanner.viewer`	Web Security Scanner Viewer	Read access to all Web Security Scanner resources	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project

For more information about IAM roles, see understanding roles.