This page describes how to use Identity and Access Management (IAM) to control access to
resources in an organization-level activation of
Security Command Center .
This page is relevant to you if either of the following conditions apply:
Security Command Center is activated at the organization level and not at the
project level.
Security Command Center Standard is already activated at the organization level.
Additionally, you have Security Command Center Premium activated on one or more
projects.
If you activated Security Command Center at the project level—and not the
organization level—see IAM for project-level
activations instead.
In an organization-level activation of
Security Command Center, you can control access to resources at different levels of
your resource hierarchy. Security Command Center uses IAM roles to let
you control who can do what with assets, findings, and security sources in your
Security Command Center environment. You grant roles to individuals and applications,
and each role provides specific permissions.
Permissions
To set up Security Command Center or change the configuration of your organization,
you need both of the following roles at the organization level:
Organization Admin (roles/resourcemanager.organizationAdmin)
Security Center Admin (roles/securitycenter.admin)
If a user doesn't require edit permissions, consider granting them viewer
roles.
To view all assets, findings, and attack paths in
Security Command Center, users need the Security Center Admin Viewer
(roles/securitycenter.adminViewer) role at the organization level.
To view settings, users need the Security Center Admin
(roles/securitycenter.admin) role at the organization level.
To restrict access to individual folders and projects, don't grant all roles at
the organization level. Instead, grant the following roles at the folder
or project level:
Security Center Assets Viewer (roles/securitycenter.assetsViewer)
Security Center Findings Viewer (roles/securitycenter.findingsViewer)
Organization-level roles
When IAM roles are applied at the organization level, projects
and folders under that organization inherit its role bindings .
The following figure illustrates a typical Security Command Center resource hierarchy
with roles granted at the organization level.
Security Command Center resource hierarchy and organization-level roles
(click to enlarge)
IAM roles include permissions to view, edit, update, create, or
delete resources. Roles granted at the organization level in Security Command Center
let you perform prescribed actions on findings, assets, and security sources
throughout your organization. For example, a user granted the Security Center
Findings Editor role (roles/securitycenter.findingsEditor) can view or edit
findings attached to any resource in any project or folder in your organization.
With this structure, you don't have to grant users roles in each folder or
project.
For instructions on managing roles and permissions, see
Manage access to projects, folders, and organizations .
Organization-level roles are not suitable for all use cases, particularly for
sensitive applications or compliance standards that require strict access
controls. To create fine-grained access policies, you can grant roles at the
folder and project levels.
Folder-level and project-level roles
Security Command Center lets you grant
Security Command Center IAM roles
for specific folders and projects, creating multiple views, or silos, within
your organization. You grant users and groups different access and edit
permissions to folders and projects across your organization.
The following video describes how to grant folder-level and project-level roles
and how to manage them in the Security Command Center dashboard.
With folder and project roles, users with Security Command Center roles have the
ability to manage assets and findings within designated projects or folders. For
example, a security engineer can be given limited access to select folders and
projects while a security administrator can manage all resources at the
organization level.
Folder and project roles allow Security Command Center permissions to be applied at
lower levels of your organization's resource hierarchy, but do not change the
hierarchy. The following figure illustrates a user with Security Command Center
permissions to access findings in a specific project.
Security Command Center resource hierarchy and project-level
roles - dashed items are inaccessible (click to enlarge)
Users with folder and project roles see a subset of an organization's resources.
Any actions they take are limited to the same scope. For example, if a user has
permissions for a folder, they can access resources in any project in the
folder. Permissions for a project gives users access to resources in that
project.
For instructions on managing roles and permissions, see
Manage access to projects, folders, and organizations .
Role restrictions
By granting Security Command Center roles at the folder or project level,
Security Command Center administrators can do the following:
Limit Security Command Center view or edit permissions to specific folders and
projects
Grant view and edit permissions for groups of assets or findings to specific
users or teams
Restrict the ability to view or edit finding details, including updates
to security marks and finding state, to individuals or groups with access to
the underlying finding
Control access to Security Command Center settings, which can only be viewed by
individuals with organization-level roles
Security Command Center functions
Security Command Center functions are also restricted based on view and edit
permissions.
In the Google Cloud console, Security Command Center lets
individuals without organization-level
permissions choose only resources to which they have access. Their selection
updates all elements of the user interface, including assets, findings, and
settings controls. Users see the privileges attached to their roles and whether
they can access or edit findings at their current scope.
The Security Command Center API and Google Cloud CLI also restrict
functions to prescribed folders and projects. If calls to list or group assets
and findings are made by users granted folder or project roles, only findings or
assets at those scopes are returned.
For organization-level activations of Security Command Center, calls to create or
update findings and finding notifications only support the organization scope.
You need organization-level roles to perform these tasks.
To view the attack paths that are generated by attack path simulations,
the appropriate permissions must be granted at the organization level
and the Google Cloud console view must be set to the organization.
Parent resources for findings
Usually, a finding is attached to a resource, like a virtual machine (VM)
or firewall. Security Command Center attaches findings to the most immediate
container for the resource that generated the finding. For example, if a VM
generates a finding, the finding is attached to the project that contains the
VM. Findings that are not connected to a Google Cloud resource are attached to
the organization and are visible to anyone with organization-level
Security Command Center permissions.
IAM roles in Security Command Center
The following is a list of IAM roles available for
Security Command Center and the permissions included in them. Security Command Center
supports granting these roles at the organization, folder, or project level.
Role
Permissions
Security Center Admin
(roles/)
Admin(super user) access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry.
artifactregistry.artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.locations.getartifactregistry.
artifactregistry.
artifactregistry.artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.artifactregistry.
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.*
assuredoss.config.getassuredoss.customers.createassuredoss.locations.getassuredoss.locations.listassuredoss.metadata.getassuredoss.metadata.listassuredoss.operations.cancelassuredoss.operations.deleteassuredoss.operations.getassuredoss.operations.list
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudsecurityscanner.*
cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.scans.getcloudsecurityscanner.cloudsecurityscanner.scans.runcloudsecurityscanner.
compute.addresses.list
iam.serviceAccountKeys.create
iam.serviceAccounts.create
iam.serviceAccounts.get
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.create
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.*
securitycenter.assets.groupsecuritycenter.assets.listsecuritycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.findings.groupsecuritycenter.findings.listsecuritycenter.securitycenter.securitycenter.securitycenter.securitycenter.findings.updatesecuritycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.muteconfigs.getsecuritycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.simulations.getsecuritycenter.sources.getsecuritycenter.securitycenter.sources.listsecuritycenter.securitycenter.sources.updatesecuritycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Security Center Admin Editor
(roles/)
Admin Read-write access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry.
artifactregistry.artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.locations.getartifactregistry.
artifactregistry.
artifactregistry.artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.artifactregistry.
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.locations.getassuredoss.locations.list
assuredoss.metadata.*
assuredoss.metadata.getassuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudsecurityscanner.*
cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.scans.getcloudsecurityscanner.cloudsecurityscanner.scans.runcloudsecurityscanner.
compute.addresses.list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.*
securitycenter.assets.groupsecuritycenter.assets.listsecuritycenter.securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.*
securitycenter.securitycenter.findings.groupsecuritycenter.findings.listsecuritycenter.securitycenter.securitycenter.securitycenter.securitycenter.findings.update
securitycenter.
securitycenter.
securitycenter.
securitycenter.muteconfigs.*
securitycenter.securitycenter.securitycenter.muteconfigs.getsecuritycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Admin Viewer
(roles/)
Admin Read access to security center
Lowest-level resources where you can grant this role:
artifactregistry.
artifactregistry.artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.locations.getartifactregistry.
artifactregistry.
artifactregistry.artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.artifactregistry.
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.locations.getassuredoss.locations.list
assuredoss.metadata.*
assuredoss.metadata.getassuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudsecurityscanner.
cloudsecurityscanner.results.*
cloudsecurityscanner.cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.scans.get
cloudsecurityscanner.
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.muteconfigs.get
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Asset Security Marks Writer
(roles/)
Write access to asset security marks
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Assets Discovery Runner
(roles/)
Run asset discovery access to assets
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Assets Viewer
(roles/)
Read access to assets
Lowest-level resources where you can grant this role:
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
resourcemanager.folders.get
resourcemanager.
resourcemanager.projects.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.
securitycenter.
Security Center Attack Paths Reader
(roles/)
Read access to security center attack paths
securitycenter.
Security Center BigQuery Exports Editor
(roles/)
Read-Write access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.
Security Center BigQuery Exports Viewer
(roles/)
Read access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
Security Center Compliance Snapshots Viewer
Beta
(roles/)
Read access to security center compliance snapshots
securitycenter.
Security Center External Systems Editor
(roles/)
Write access to security center external systems
securitycenter.
Security Center Finding Security Marks Writer
(roles/)
Write access to finding security marks
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Findings Bulk Mute Editor
(roles/)
Ability to mute findings in bulk
securitycenter.
Security Center Findings Editor
(roles/)
Read-write access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.
resourcemanager.projects.get
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.update
securitycenter.sources.get
securitycenter.sources.list
securitycenter.
Security Center Findings Mute Setter
(roles/)
Set mute access to findings
securitycenter.
Security Center Findings State Setter
(roles/)
Set state access to findings
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Findings Viewer
(roles/)
Read access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.
resourcemanager.projects.get
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.sources.get
securitycenter.sources.list
securitycenter.
Security Center Findings Workflow State Setter
Beta
(roles/)
Set workflow state access to findings
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Mute Configurations Editor
(roles/)
Read-Write access to security center mute configurations
securitycenter.muteconfigs.*
securitycenter.securitycenter.securitycenter.muteconfigs.getsecuritycenter.securitycenter.
Security Center Mute Configurations Viewer
(roles/)
Read access to security center mute configurations
securitycenter.muteconfigs.get
securitycenter.
Security Center Notification Configurations Editor
(roles/)
Write access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.
securitycenter.
Security Center Notification Configurations Viewer
(roles/)
Read access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
securitycenter.
Security Center Resource Value Configurations Editor
(roles/)
Read-Write access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter.
securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.
Security Center Resource Value Configurations Viewer
(roles/)
Read access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter.
securitycenter.
Security Health Analytics Custom Modules Tester
(roles/)
Test access to Security Health Analytics Custom Modules
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
Security Center Settings Admin
(roles/)
Admin(super user) access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycenter.muteconfigs.*
securitycenter.securitycenter.securitycenter.muteconfigs.getsecuritycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.
Security Center Settings Editor
(roles/)
Read-Write access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycenter.muteconfigs.*
securitycenter.securitycenter.securitycenter.muteconfigs.getsecuritycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.securitycentermanagement.
Security Center Settings Viewer
(roles/)
Read access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.muteconfigs.get
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Simulations Reader
(roles/)
Read access to security center simulations
securitycenter.simulations.get
Security Center Sources Admin
(roles/)
Admin access to sources
Lowest-level resources where you can grant this role:
resourcemanager.
securitycenter.sources.*
securitycenter.sources.getsecuritycenter.securitycenter.sources.listsecuritycenter.securitycenter.sources.update
securitycenter.
Security Center Sources Editor
(roles/)
Read-write access to sources
Lowest-level resources where you can grant this role:
resourcemanager.
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter.
Security Center Sources Viewer
(roles/)
Read access to sources
Lowest-level resources where you can grant this role:
resourcemanager.
securitycenter.sources.get
securitycenter.sources.list
securitycenter.
Security Center Valued Resources Reader
(roles/)
Read access to security center valued resources
securitycenter.
IAM roles in the security posture service
The following is a list of IAM roles and permissions available for the
security posture service and infrastructure as code validation feature.
You can grant these roles at the organization, folder, or project level.
Note that the Security Posture Admin role is only available at the organization
level.
Role
Permissions
Security Posture Admin
(roles/)
Full access to Security Posture service APIs.
orgpolicy.*
orgpolicy.constraints.listorgpolicy.orgpolicy.orgpolicy.orgpolicy.orgpolicy.orgpolicy.policies.createorgpolicy.policies.deleteorgpolicy.policies.listorgpolicy.policies.updateorgpolicy.policy.getorgpolicy.policy.set
resourcemanager.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycentermanagement.
securitycentermanagement.securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securityposture.*
securityposture.locations.getsecurityposture.locations.listsecurityposture.securityposture.operations.getsecurityposture.securityposture.securityposture.securityposture.securityposture.securityposture.securityposture.securityposture.securityposture.securityposture.securityposture.securityposture.postures.getsecurityposture.postures.listsecurityposture.securityposture.reports.createsecurityposture.reports.getsecurityposture.reports.list
Security Posture Resource Editor
(roles/)
Mutate and read permissions to the Posture resource.
securityposture.operations.get
securityposture.postures.*
securityposture.securityposture.securityposture.securityposture.postures.getsecurityposture.postures.listsecurityposture.
Security Posture Deployer
(roles/)
Mutate and read permissions to the Posture Deployment resource.
orgpolicy.*
orgpolicy.constraints.listorgpolicy.orgpolicy.orgpolicy.orgpolicy.orgpolicy.orgpolicy.policies.createorgpolicy.policies.deleteorgpolicy.policies.listorgpolicy.policies.updateorgpolicy.policy.getorgpolicy.policy.set
resourcemanager.
securitycenter.
securitycenter.securitycenter.securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securityposture.operations.get
securityposture.
securityposture.securityposture.securityposture.securityposture.securityposture.
Security Posture Resource Viewer
(roles/)
Read only access to the Posture resource.
resourcemanager.
securityposture.operations.get
securityposture.postures.get
securityposture.postures.list
Security Posture Deployments Viewer
(roles/)
Read only access to the Posture Deployment resource.
resourcemanager.
securityposture.operations.get
securityposture.
securityposture.
Security Posture Shift-Left Validator
(roles/)
Create access for Reports, e.g. IaC Validation Report.
securityposture.operations.get
securityposture.reports.*
securityposture.reports.createsecurityposture.reports.getsecurityposture.reports.list
Security Posture Viewer
(roles/)
Read only access to all the SecurityPosture Service resources.
resourcemanager.
securityposture.operations.get
securityposture.
securityposture.
securityposture.
securityposture.securityposture.
securityposture.postures.get
securityposture.postures.list
Service agent roles
A service agent is a Google-managed service account that allows a service to
access your resources.
When you activate Security Command Center, two service agents are created for you:
service-org-ORGANIZATION_ID @security-center-api.iam.gserviceaccount.com.
This service agent requires the roles/securitycenter.serviceAgent
IAM role.
service-org-ORGANIZATION_ID @gcp-sa-ktd-hpsa.iam.gserviceaccount.com.
This service agent requires the roles/containerthreatdetection.serviceAgent
IAM role.
During the activation process
of Security Command Center, you are prompted to grant one or more required
IAM roles to each service agent. Granting
the roles to each service agent is required for Security Command Center to
function.
To view the permissions for each role, see the following:
To grant the roles, you must have the roles/resourcemanager.organizationAdmin
role.
If you don't have the roles/resourcemanager.organizationAdmin role,
your organization administrator can grant the roles to the service
agents for you with the following gcloud CLI command:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member="SERVICE_AGENT_NAME " \
--role="IAM_ROLE "
Replace the following:
ORGANIZATION_ID SERVICE_AGENT_NAME
service-org-ORGANIZATION_ID @security-center-api.iam.gserviceaccount.comservice-org-ORGANIZATION_ID @gcp-sa-ktd-hpsa.iam.gserviceaccount.com IAM_ROLE
roles/securitycenter.serviceAgentroles/containerthreatdetection.serviceAgent
For more information about IAM roles, see
understanding roles .
Web Security Scanner
IAM roles prescribe how you can use Web Security Scanner. The tables
below include each IAM role available for Web Security Scanner
and the methods available to them. Grant these roles at the project level.
To give users the ability to create and manage security scans, you add users to
your project and grant them permissions using the roles.
Web Security Scanner supports
basic roles
and
predefined roles
that give more granular access to Web Security Scanner resources.
Basic IAM roles
The following describes the Web Security Scanner permissions that are granted
by basic roles.
Role
Description
Owner
Full access to all Web Security Scanner resources
Editor
Full access to all Web Security Scanner resources
Viewer
No access to Web Security Scanner
Predefined IAM roles
The following describes the Web Security Scanner permissions that are granted
by Web Security Scanner roles.
Role
Permissions
Web Security Scanner Editor
(roles/)
Full access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
appengine.applications.get
cloudsecurityscanner.*
cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.cloudsecurityscanner.scans.getcloudsecurityscanner.cloudsecurityscanner.scans.runcloudsecurityscanner.
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Web Security Scanner Runner
(roles/)
Read access to Scan and ScanRun, plus the ability to start scans
Lowest-level resources where you can grant this role:
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.scans.get
cloudsecurityscanner.
cloudsecurityscanner.scans.run
Web Security Scanner Viewer
(roles/)
Read access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
cloudsecurityscanner.
cloudsecurityscanner.results.*
cloudsecurityscanner.cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.scans.get
cloudsecurityscanner.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
For more information about IAM roles, see
understanding roles .
