Nesta página, descrevemos como usar o Identity and Access Management (IAM) para controlar o acesso a
recursos em uma ativação do
Security Command Center no nível da organização .
Esta página é relevante para você se uma das seguintes condições se aplicar:
O Security Command Center está ativado no nível da organização, e não no nível do projeto.
O Security Command Center Standard já está ativado no nível da organização.
Além disso, o Security Command Center Premium está ativado em um ou mais
projetos.
Se você ativou o Security Command Center para envolvidos no projeto, e não no nível da organização, consulte IAM para ativações no nível do projeto .
Em uma ativação no nível da organização do
Security Command Center, é possível controlar o acesso aos recursos em diferentes níveis da
hierarquia de recursos. O Security Command Center usa papéis do IAM para controlar quem pode fazer o que com recursos, descobertas e serviços de segurança no ambiente do Security Command Center. Você concede papéis a indivíduos e aplicativos, e cada papel fornece permissões específicas.
Permissões
Para configurar o Security Command Center ou alterar a configuração da sua organização, você precisa dos dois papéis a seguir no nível da organização :
Administrador da organização (roles/resourcemanager.organizationAdmin
)
Administrador da Central de segurança (roles/securitycenter.admin
)
Se um usuário não precisar de permissões para edição, considere conceder a ele papéis de leitor.
Para visualizar todos os recursos, descobertas e caminhos de ataque no Security Command Center, os usuários
precisam ter o papel Leitor administrador da Central de segurança (roles/securitycenter.adminViewer
)
no nível da organização.
Para visualizar as configurações, os usuários precisam do papel Administrador da Central de segurança (roles/securitycenter.admin
) no nível da organização.
Para restringir o acesso a pastas e projetos individuais, não conceda todos os papéis no nível da organização. Em vez disso, conceda os seguintes papéis no nível da pasta
ou do projeto :
Leitor de recursos da Central de segurança (roles/securitycenter.assetsViewer
)
Leitor de descobertas da Central de segurança (roles/securitycenter.findingsViewer
)
Papéis no nível da organização
Quando os papéis do IAM são aplicados no nível da organização, os projetos
e as pastas nessa organização herdam as vinculações de
papéis .
A figura a seguir ilustra uma hierarquia de recursos típica do Security Command Center com permissões concedidas no nível da organização.
Hierarquia de recursos do Security Command Center e papéis no nível da organização (clique para ampliar)
Os papéis do IAM incluem permissões para visualizar, editar, atualizar, criar ou gerenciar recursos. Os papéis concedidos no nível da organização no Security Command Center permitem que os usuários realizem ações prescritas em descobertas, recursos e serviços de segurança em toda a organização. Por exemplo, um usuário com o papel de Editor de descobertas da Central de segurança (roles/securitycenter.findingsEditor
) pode visualizar ou editar as descobertas anexadas a qualquer recurso em qualquer projeto ou pasta na organização.
Com essa estrutura, não é necessário conceder papéis aos usuários em cada pasta ou projeto.
Para instruções sobre como gerenciar papéis e permissões, consulte Gerenciar o acesso a projetos, pastas e organizações .
Os papéis no nível da organização não são adequados para todos os casos de uso, especialmente para aplicativos confidenciais ou regimes de conformidade que exigem controles de acesso rigorosos. Para criar políticas de acesso minuciosas, é possível conceder papéis nos níveis da pasta e do projeto.
Papéis no nível da pasta e do projeto
O Security Command Center Premium permite conceder papéis do IAM do Security Command Center para pastas e projetos específicos, criando várias visualizações ou silos na sua organização. Conceda a usuários e grupos diferentes acessos e permissões para edição em pastas e projetos em toda a organização.
O vídeo a seguir descreve como conceder papéis nos níveis de pasta e projeto e como gerenciá-los no painel do Security Command Center.
Com papéis de pasta e projeto, os usuários com papéis do Security Command Center podem gerenciar recursos e descobertas em projetos ou pastas designados. Por exemplo, um engenheiro de segurança pode ter acesso limitado a pastas e projetos selecionados, enquanto um administrador de segurança pode gerenciar todos os recursos no nível da organização.
Os papéis de pasta e de projeto permitem que as permissões do Security Command Center sejam aplicadas em
níveis inferiores da hierarquia de recursos da organização, mas sem alterar a
hierarquia. A figura a seguir ilustra um usuário com permissões do Security Command Center para acessar descobertas em um projeto.
Hierarquia de recursos do Security Command Center e papéis no nível do projeto: os itens tracejados estão inacessíveis (clique para ampliar)
Os usuários com papéis no nível da pasta e do projeto veem um subconjunto dos recursos da organização.
As ações realizadas são limitadas ao mesmo escopo. Por exemplo, se um usuário tiver permissões em uma pasta, ele poderá acessar recursos em qualquer projeto nessa pasta. As permissões para um projeto fornecem aos usuários acesso a recursos nesse projeto.
Para instruções sobre como gerenciar papéis e permissões, consulte Gerenciar o acesso a projetos, pastas e organizações .
Restrições de papel
Ao conceder papéis do Security Command Center no nível da pasta ou do projeto,
os administradores do Security Command Center Premium podem fazer o seguinte:
limitar a visualização do Security Command Center ou editar permissões para pastas e projetos específicos
Conceder permissões de visualização e edição para grupos de recursos ou descobertas para usuários ou equipes específicos
restringir a capacidade de visualizar ou editar detalhes da descoberta, incluindo atualizações
para marcações de segurança e estados de descoberta, para indivíduos ou grupos com acesso
à descoberta subjacente
Controlar o acesso às configurações do Security Command Center, que só pode ser visualizado por
pessoas com papéis no nível da organização
Funções do Security Command Center
As funções do Security Command Center Premium também são restritas com base nas permissões de visualização e edição.
No console do Google Cloud, o Security Command Center permite que indivíduos sem permissões no nível da organização escolham apenas os recursos a que têm acesso. A seleção atualiza todos os elementos da interface do usuário, incluindo controles de recursos, descobertas e configurações. Os usuários veem claramente os privilégios anexados aos papéis e se podem acessar ou editar as descobertas no escopo atual.
A API Security Command Center e a Google Cloud CLI também restringem
funções a pastas e projetos específicos. Se as chamadas para listar ou agrupar recursos e descobertas forem feitas por usuários que tenham papéis de pasta ou projeto, somente descobertas ou recursos nesses escopos serão retornados.
Para ativações no nível da organização do Security Command Center, as chamadas para criar ou
atualizar descobertas e encontrar notificações são compatíveis apenas com o escopo da organização.
Você precisa de papéis no nível da organização para executar essas tarefas.
Para visualizar os caminhos de ataque gerados por simulações de ataques, as permissões apropriadas precisam ser concedidas no nível da organização e a visualização do console do Google Cloud precisa ser definida para a organização.
Recursos pai para descobertas
Normalmente, uma descoberta é anexada a um recurso, como uma máquina virtual (VM, na sigla em inglês) ou firewall. O Security Command Center anexa as descobertas ao contêiner mais imediato do recurso que gerou a descoberta. Por exemplo, se uma VM gerar uma descoberta, a descoberta será anexada ao projeto que contém a VM. As descobertas que não estão conectadas a um recurso do Google Cloud são anexadas à organização e são visíveis para qualquer pessoa com as permissões do Security Command Center no nível da organização.
Papéis de IAM no Security Command Center
Veja a seguir uma lista de papéis do IAM disponíveis para o Security Command Center e as permissões incluídas neles. O Security Command Center é compatível com a concessão desses papéis no nível da organização, da pasta ou
do projeto.
Role
Permissions
Security Center Admin
(roles/ securitycenter.admin
)
Admin(super user) access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry. dockerimages.*
artifactregistry. dockerimages. get
artifactregistry. dockerimages. list
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.locations.get
artifactregistry. locations. list
artifactregistry. mavenartifacts.*
artifactregistry. mavenartifacts. get
artifactregistry. mavenartifacts. list
artifactregistry.npmpackages.*
artifactregistry. npmpackages. get
artifactregistry. npmpackages. list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. pythonpackages. get
artifactregistry. pythonpackages. list
artifactregistry. repositories. create
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.*
assuredoss.config.get
assuredoss.customers.create
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudsecurityscanner.*
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner. results. get
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner. scanruns. stop
cloudsecurityscanner. scans. create
cloudsecurityscanner. scans. delete
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
cloudsecurityscanner.scans.run
cloudsecurityscanner. scans. update
compute.addresses.list
iam.serviceAccountKeys.create
iam.serviceAccounts.create
iam.serviceAccounts.get
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.create
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.*
securitycenter.assets.group
securitycenter.assets.list
securitycenter. assets. listAssetPropertyNames
securitycenter. assets. runDiscovery
securitycenter. assetsecuritymarks. update
securitycenter. attackpaths. list
securitycenter. bigQueryExports. create
securitycenter. bigQueryExports. delete
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. bigQueryExports. update
securitycenter. compliancesnapshots. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. containerthreatdetectionsettings. update
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. eventthreatdetectionsettings. update
securitycenter. exposurepathexplan. get
securitycenter. findingexplanations. get
securitycenter. findingexternalsystems. update
securitycenter. findings. bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. findings. setMute
securitycenter. findings. setState
securitycenter. findings. setWorkflowState
securitycenter.findings.update
securitycenter. findingsecuritymarks. update
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter. integratedvulnerabilityscannersettings. update
securitycenter. muteconfigs. create
securitycenter. muteconfigs. delete
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. muteconfigs. update
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. notificationconfig. update
securitycenter. organizationsettings. get
securitycenter. organizationsettings. update
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. update
securitycenter. resourcevalueconfigs. create
securitycenter. resourcevalueconfigs. delete
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
securitycenter. resourcevalueconfigs. update
securitycenter. securitycentersettings. get
securitycenter. securitycentersettings. update
securitycenter. securityhealthanalyticscustommodules. create
securitycenter. securityhealthanalyticscustommodules. delete
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. simulate
securitycenter. securityhealthanalyticscustommodules. test
securitycenter. securityhealthanalyticscustommodules. update
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. securityhealthanalyticssettings. update
securitycenter.simulations.get
securitycenter.sources.get
securitycenter. sources. getIamPolicy
securitycenter.sources.list
securitycenter. sources. setIamPolicy
securitycenter.sources.update
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. valuedresources. list
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. virtualmachinethreatdetectionsettings. update
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycenter. websecurityscannersettings. update
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules.*
securitycentermanagement. eventThreatDetectionCustomModules. create
securitycentermanagement. eventThreatDetectionCustomModules. delete
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. update
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCommandCenter. generateServiceAccounts
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityCommandCenter. update
securitycentermanagement. securityHealthAnalyticsCustomModules.*
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
securitycentermanagement. securityHealthAnalyticsCustomModules. update
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Security Center Admin Editor
(roles/ securitycenter.adminEditor
)
Admin Read-write access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry. dockerimages.*
artifactregistry. dockerimages. get
artifactregistry. dockerimages. list
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.locations.get
artifactregistry. locations. list
artifactregistry. mavenartifacts.*
artifactregistry. mavenartifacts. get
artifactregistry. mavenartifacts. list
artifactregistry.npmpackages.*
artifactregistry. npmpackages. get
artifactregistry. npmpackages. list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. pythonpackages. get
artifactregistry. pythonpackages. list
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.*
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudsecurityscanner.*
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner. results. get
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner. scanruns. stop
cloudsecurityscanner. scans. create
cloudsecurityscanner. scans. delete
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
cloudsecurityscanner.scans.run
cloudsecurityscanner. scans. update
compute.addresses.list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.*
securitycenter.assets.group
securitycenter.assets.list
securitycenter. assets. listAssetPropertyNames
securitycenter. assets. runDiscovery
securitycenter. assetsecuritymarks. update
securitycenter. attackpaths. list
securitycenter. bigQueryExports.*
securitycenter. bigQueryExports. create
securitycenter. bigQueryExports. delete
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. bigQueryExports. update
securitycenter. compliancesnapshots. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. exposurepathexplan. get
securitycenter. findingexplanations. get
securitycenter. findingexternalsystems. update
securitycenter.findings.*
securitycenter. findings. bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. findings. setMute
securitycenter. findings. setState
securitycenter. findings. setWorkflowState
securitycenter.findings.update
securitycenter. findingsecuritymarks. update
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter.muteconfigs.*
securitycenter. muteconfigs. create
securitycenter. muteconfigs. delete
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. muteconfigs. update
securitycenter. notificationconfig.*
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. notificationconfig. update
securitycenter. organizationsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. resourcevalueconfigs.*
securitycenter. resourcevalueconfigs. create
securitycenter. resourcevalueconfigs. delete
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
securitycenter. resourcevalueconfigs. update
securitycenter. securitycentersettings. get
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. simulate
securitycenter. securityhealthanalyticscustommodules. test
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. valuedresources. list
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCommandCenter. generateServiceAccounts
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityCommandCenter. update
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Admin Viewer
(roles/ securitycenter.adminViewer
)
Admin Read access to security center
Lowest-level resources where you can grant this role:
artifactregistry. dockerimages.*
artifactregistry. dockerimages. get
artifactregistry. dockerimages. list
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.locations.get
artifactregistry. locations. list
artifactregistry. mavenartifacts.*
artifactregistry. mavenartifacts. get
artifactregistry. mavenartifacts. list
artifactregistry.npmpackages.*
artifactregistry. npmpackages. get
artifactregistry. npmpackages. list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. pythonpackages. get
artifactregistry. pythonpackages. list
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.*
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner.results.*
cloudsecurityscanner. results. get
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter. assets. listAssetPropertyNames
securitycenter. attackpaths. list
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. compliancesnapshots. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. exposurepathexplan. get
securitycenter. findingexplanations. get
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. organizationsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
securitycenter. securitycentersettings. get
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. simulate
securitycenter. securityhealthanalyticscustommodules. test
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. valuedresources. list
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Asset Security Marks Writer
(roles/ securitycenter.assetSecurityMarksWriter
)
Write access to asset security marks
Lowest-level resources where you can grant this role:
securitycenter. assetsecuritymarks. update
securitycenter. userinterfacemetadata. get
Security Center Assets Discovery Runner
(roles/ securitycenter.assetsDiscoveryRunner
)
Run asset discovery access to assets
Lowest-level resources where you can grant this role:
securitycenter. assets. runDiscovery
securitycenter. userinterfacemetadata. get
Security Center Assets Viewer
(roles/ securitycenter.assetsViewer
)
Read access to assets
Lowest-level resources where you can grant this role:
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
resourcemanager.folders.get
resourcemanager. organizations. get
resourcemanager.projects.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter. assets. listAssetPropertyNames
securitycenter. userinterfacemetadata. get
Security Center Attack Paths Reader
(roles/ securitycenter.attackPathsViewer
)
Read access to security center attack paths
securitycenter. attackpaths. list
Security Center BigQuery Exports Editor
(roles/ securitycenter.bigQueryExportsEditor
)
Read-Write access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports.*
securitycenter. bigQueryExports. create
securitycenter. bigQueryExports. delete
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. bigQueryExports. update
Security Center BigQuery Exports Viewer
(roles/ securitycenter.bigQueryExportsViewer
)
Read access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
Security Center Compliance Snapshots Viewer
Beta
(roles/ securitycenter.complianceSnapshotsViewer
)
Read access to security center compliance snapshots
securitycenter. compliancesnapshots. list
Security Center External Systems Editor
(roles/ securitycenter.externalSystemsEditor
)
Write access to security center external systems
securitycenter. findingexternalsystems. update
Security Center Finding Security Marks Writer
(roles/ securitycenter.findingSecurityMarksWriter
)
Write access to finding security marks
Lowest-level resources where you can grant this role:
securitycenter. findingsecuritymarks. update
securitycenter. userinterfacemetadata. get
Security Center Findings Bulk Mute Editor
(roles/ securitycenter.findingsBulkMuteEditor
)
Ability to mute findings in bulk
securitycenter. findings. bulkMuteUpdate
Security Center Findings Editor
(roles/ securitycenter.findingsEditor
)
Read-write access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager. organizations. get
resourcemanager.projects.get
securitycenter. compliancesnapshots. list
securitycenter. findingexplanations. get
securitycenter. findings. bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. findings. setMute
securitycenter. findings. setState
securitycenter.findings.update
securitycenter.sources.get
securitycenter.sources.list
securitycenter. userinterfacemetadata. get
Security Center Findings Mute Setter
(roles/ securitycenter.findingsMuteSetter
)
Set mute access to findings
securitycenter. findings. setMute
Security Center Findings State Setter
(roles/ securitycenter.findingsStateSetter
)
Set state access to findings
Lowest-level resources where you can grant this role:
securitycenter. findings. setState
securitycenter. userinterfacemetadata. get
Security Center Findings Viewer
(roles/ securitycenter.findingsViewer
)
Read access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager. organizations. get
resourcemanager.projects.get
securitycenter. compliancesnapshots. list
securitycenter. findingexplanations. get
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
securitycenter. userinterfacemetadata. get
Security Center Findings Workflow State Setter
Beta
(roles/ securitycenter.findingsWorkflowStateSetter
)
Set workflow state access to findings
Lowest-level resources where you can grant this role:
securitycenter. findings. setWorkflowState
securitycenter. userinterfacemetadata. get
Security Center Mute Configurations Editor
(roles/ securitycenter.muteConfigsEditor
)
Read-Write access to security center mute configurations
securitycenter.muteconfigs.*
securitycenter. muteconfigs. create
securitycenter. muteconfigs. delete
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. muteconfigs. update
Security Center Mute Configurations Viewer
(roles/ securitycenter.muteConfigsViewer
)
Read access to security center mute configurations
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
Security Center Notification Configurations Editor
(roles/ securitycenter.notificationConfigEditor
)
Write access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter. notificationconfig.*
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. notificationconfig. update
securitycenter. userinterfacemetadata. get
Security Center Notification Configurations Viewer
(roles/ securitycenter.notificationConfigViewer
)
Read access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. userinterfacemetadata. get
Security Center Resource Value Configurations Editor
(roles/ securitycenter.resourceValueConfigsEditor
)
Read-Write access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter. resourcevalueconfigs.*
securitycenter. resourcevalueconfigs. create
securitycenter. resourcevalueconfigs. delete
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
securitycenter. resourcevalueconfigs. update
Security Center Resource Value Configurations Viewer
(roles/ securitycenter.resourceValueConfigsViewer
)
Read access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
Security Health Analytics Custom Modules Tester
(roles/ securitycenter.securityHealthAnalyticsCustomModulesTester
)
Test access to Security Health Analytics Custom Modules
securitycenter. securityhealthanalyticscustommodules. simulate
securitycenter. securityhealthanalyticscustommodules. test
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
Security Center Settings Admin
(roles/ securitycenter.settingsAdmin
)
Admin(super user) access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports.*
securitycenter. bigQueryExports. create
securitycenter. bigQueryExports. delete
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. bigQueryExports. update
securitycenter. containerthreatdetectionsettings.*
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. containerthreatdetectionsettings. update
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings.*
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. eventthreatdetectionsettings. update
securitycenter. integratedvulnerabilityscannersettings.*
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter. integratedvulnerabilityscannersettings. update
securitycenter.muteconfigs.*
securitycenter. muteconfigs. create
securitycenter. muteconfigs. delete
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. muteconfigs. update
securitycenter. notificationconfig.*
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. notificationconfig. update
securitycenter. organizationsettings.*
securitycenter. organizationsettings. get
securitycenter. organizationsettings. update
securitycenter. rapidvulnerabilitydetectionsettings.*
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. update
securitycenter. securitycentersettings.*
securitycenter. securitycentersettings. get
securitycenter. securitycentersettings. update
securitycenter. securityhealthanalyticscustommodules. create
securitycenter. securityhealthanalyticscustommodules. delete
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. update
securitycenter. securityhealthanalyticssettings.*
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. securityhealthanalyticssettings. update
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. virtualmachinethreatdetectionsettings.*
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. virtualmachinethreatdetectionsettings. update
securitycenter. websecurityscannersettings.*
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycenter. websecurityscannersettings. update
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules.*
securitycentermanagement. eventThreatDetectionCustomModules. create
securitycentermanagement. eventThreatDetectionCustomModules. delete
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. update
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCommandCenter. generateServiceAccounts
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityCommandCenter. update
securitycentermanagement. securityHealthAnalyticsCustomModules.*
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
securitycentermanagement. securityHealthAnalyticsCustomModules. update
Security Center Settings Editor
(roles/ securitycenter.settingsEditor
)
Read-Write access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports.*
securitycenter. bigQueryExports. create
securitycenter. bigQueryExports. delete
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. bigQueryExports. update
securitycenter. containerthreatdetectionsettings.*
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. containerthreatdetectionsettings. update
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings.*
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. eventthreatdetectionsettings. update
securitycenter. integratedvulnerabilityscannersettings.*
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter. integratedvulnerabilityscannersettings. update
securitycenter.muteconfigs.*
securitycenter. muteconfigs. create
securitycenter. muteconfigs. delete
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. muteconfigs. update
securitycenter. notificationconfig.*
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. notificationconfig. update
securitycenter. organizationsettings.*
securitycenter. organizationsettings. get
securitycenter. organizationsettings. update
securitycenter. rapidvulnerabilitydetectionsettings.*
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. update
securitycenter. securitycentersettings.*
securitycenter. securitycentersettings. get
securitycenter. securitycentersettings. update
securitycenter. securityhealthanalyticscustommodules. create
securitycenter. securityhealthanalyticscustommodules. delete
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. update
securitycenter. securityhealthanalyticssettings.*
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. securityhealthanalyticssettings. update
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. virtualmachinethreatdetectionsettings.*
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. virtualmachinethreatdetectionsettings. update
securitycenter. websecurityscannersettings.*
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycenter. websecurityscannersettings. update
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules.*
securitycentermanagement. eventThreatDetectionCustomModules. create
securitycentermanagement. eventThreatDetectionCustomModules. delete
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. update
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCommandCenter. generateServiceAccounts
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityCommandCenter. update
securitycentermanagement. securityHealthAnalyticsCustomModules.*
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
securitycentermanagement. securityHealthAnalyticsCustomModules. update
Security Center Settings Viewer
(roles/ securitycenter.settingsViewer
)
Read access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. organizationsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. securitycentersettings. get
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
Security Center Simulations Reader
(roles/ securitycenter.simulationsViewer
)
Read access to security center simulations
securitycenter.simulations.get
Security Center Sources Admin
(roles/ securitycenter.sourcesAdmin
)
Admin access to sources
Lowest-level resources where you can grant this role:
resourcemanager. organizations. get
securitycenter.sources.*
securitycenter.sources.get
securitycenter. sources. getIamPolicy
securitycenter.sources.list
securitycenter. sources. setIamPolicy
securitycenter.sources.update
securitycenter. userinterfacemetadata. get
Security Center Sources Editor
(roles/ securitycenter.sourcesEditor
)
Read-write access to sources
Lowest-level resources where you can grant this role:
resourcemanager. organizations. get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter. userinterfacemetadata. get
Security Center Sources Viewer
(roles/ securitycenter.sourcesViewer
)
Read access to sources
Lowest-level resources where you can grant this role:
resourcemanager. organizations. get
securitycenter.sources.get
securitycenter.sources.list
securitycenter. userinterfacemetadata. get
Security Center Valued Resources Reader
(roles/ securitycenter.valuedResourcesViewer
)
Read access to security center valued resources
securitycenter. valuedresources. list
Papéis do IAM no serviço de postura de segurança
Confira a seguir uma lista de papéis e permissões do IAM disponíveis para o
serviço de postura de segurança e a infraestrutura como recurso de validação de código.
É possível conceder esses papéis no nível da organização, da pasta ou do projeto.
O papel Administrador de postura de segurança está disponível apenas no nível da
organização.
Papel
Permissões
Administrador do Security posture
(roles/ securityposture.admin
)
Acesso total às APIs do serviço Security posture.
orgpolicy.*
orgpolicy.constraints.list
orgpolicy. customConstraints. create
orgpolicy. customConstraints. delete
orgpolicy. customConstraints. get
orgpolicy. customConstraints. list
orgpolicy. customConstraints. update
orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update
orgpolicy.policy.get
orgpolicy.policy.set
resourcemanager. organizations. get
securitycenter. securityhealthanalyticssettings.*
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. securityhealthanalyticssettings. update
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. update
securityposture.*
securityposture.locations.get
securityposture.locations.list
securityposture. operations. delete
securityposture.operations.get
securityposture. operations. list
securityposture. postureDeployments. create
securityposture. postureDeployments. delete
securityposture. postureDeployments. get
securityposture. postureDeployments. list
securityposture. postureDeployments. update
securityposture. postureTemplates. get
securityposture. postureTemplates. list
securityposture. postures. create
securityposture. postures. delete
securityposture. postures. extract
securityposture.postures.get
securityposture.postures.list
securityposture. postures. update
securityposture.reports.create
securityposture.reports.get
securityposture.reports.list
Editor de recursos do Security posture
(roles/ securityposture.postureEditor
)
Permissões de modificação e leitura no recurso de postura.
securityposture.operations.get
securityposture.postures.*
securityposture. postures. create
securityposture. postures. delete
securityposture. postures. extract
securityposture.postures.get
securityposture.postures.list
securityposture. postures. update
Implantador do Security posture
(roles/ securityposture.postureDeployer
)
Permissões de modificação e leitura no recurso de implantação de postura.
orgpolicy.*
orgpolicy.constraints.list
orgpolicy. customConstraints. create
orgpolicy. customConstraints. delete
orgpolicy. customConstraints. get
orgpolicy. customConstraints. list
orgpolicy. customConstraints. update
orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update
orgpolicy.policy.get
orgpolicy.policy.set
resourcemanager. organizations. get
securitycenter. securityhealthanalyticssettings.*
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. securityhealthanalyticssettings. update
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. update
securityposture.operations.get
securityposture. postureDeployments.*
securityposture. postureDeployments. create
securityposture. postureDeployments. delete
securityposture. postureDeployments. get
securityposture. postureDeployments. list
securityposture. postureDeployments. update
Leitor de recursos do Security posture
(roles/ securityposture.postureViewer
)
Acesso somente leitura ao recurso de postura.
resourcemanager. organizations. get
securityposture.operations.get
securityposture.postures.get
securityposture.postures.list
Leitor de implantações do Security posture
(roles/ securityposture.postureDeploymentsViewer
)
Acesso somente leitura ao recurso de implantação de postura.
resourcemanager. organizations. get
securityposture.operations.get
securityposture. postureDeployments. get
securityposture. postureDeployments. list
Validador Shift-Left do Security Posture
(roles/ securityposture.reportCreator
)
Crie acesso para relatórios, como o Relatório de validação de IaC.
securityposture.operations.get
securityposture.reports.*
securityposture.reports.create
securityposture.reports.get
securityposture.reports.list
Leitor do Security posture
(roles/ securityposture.viewer
)
Acesso somente leitura a todos os recursos do serviço SecurityPosture.
resourcemanager. organizations. get
securityposture.operations.get
securityposture. postureDeployments. get
securityposture. postureDeployments. list
securityposture. postureTemplates.*
securityposture. postureTemplates. get
securityposture. postureTemplates. list
securityposture.postures.get
securityposture.postures.list
Papéis de agente de serviço
Um agente de serviço é uma conta serviço gerenciado pelo Google que permite que um serviço
acesse seus recursos.
Quando você ativa o Security Command Center, dois agentes de serviço são criados para você:
service-org-ORGANIZATION_ID @security-center-api.iam.gserviceaccount.com
.
Esse agente de serviço requer o papel do IAM roles/securitycenter.serviceAgent
.
service-org-ORGANIZATION_ID @gcp-sa-ktd-hpsa.iam.gserviceaccount.com
.
Esse agente de serviço requer o papel do IAM roles/containerthreatdetection.serviceAgent
.
Durante o processo de ativação
do Security Command Center, você precisa conceder um ou mais papéis do IAM necessários
a cada agente de serviço. É necessário conceder os papéis a cada agente de serviço para que o Security Command Center funcione.
Para ver as permissões de cada papel, consulte os seguintes artigos:
Para conceder os papéis, você precisa ter o papel
roles/resourcemanager.organizationAdmin
.
Se você não tiver o papel roles/resourcemanager.organizationAdmin
,
o administrador da organização poderá conceder os papéis aos agentes de
serviço com o seguinte comando da CLI gcloud:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member="SERVICE_AGENT_NAME " \
--role="IAM_ROLE "
Substitua:
ORGANIZATION_ID
: o ID da organização
SERVICE_AGENT_NAME
: o nome do agente de serviço
a que você está concedendo o papel. O nome é um dos seguintes
nomes de agente de serviço:
service-org-ORGANIZATION_ID @security-center-api.iam.gserviceaccount.com
service-org-ORGANIZATION_ID @gcp-sa-ktd-hpsa.iam.gserviceaccount.com
IAM_ROLE
: o papel obrigatório a seguir que
corresponde ao agente de serviço especificado:
roles/securitycenter.serviceAgent
roles/containerthreatdetection.serviceAgent
Para mais informações sobre papéis do IAM, consulte
Noções básicas sobre papéis .
Web Security Scanner
Os papéis do IAM determinam como usar o Web Security Scanner. As tabelas abaixo incluem cada papel do IAM disponível
para o Web Security Scanner e os métodos disponíveis para ele. Conceda
esses papéis no nível do projeto .
Para oferecer aos usuários a capacidade de criar e gerenciar verificações de segurança, você pode adicionar usuários ao seu projeto e conceder permissões com as funções do IAM.
O Web Security Scanner é compatível
com papéis básicos
e
papéis predefinidos
que dão acesso mais granular aos recursos do Web Security Scanner.
Papéis básicos do IAM
Veja a seguir as permissões do Web Security Scanner concedidas
por papéis básicos.
Papel
Descrição
Proprietário
Acesso completo a todos os recursos do Web Security Scanner
Editor
Acesso completo a todos os recursos do Web Security Scanner
Leitor
Sem acesso ao Web Security Scanner
Papéis de IAM predefinidos
Veja a seguir as permissões do Web Security Scanner que são concedidas
pelos papéis do Web Security Scanner.
Role
Permissions
Web Security Scanner Editor
(roles/ cloudsecurityscanner.editor
)
Full access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
appengine.applications.get
cloudsecurityscanner.*
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner. results. get
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner. scanruns. stop
cloudsecurityscanner. scans. create
cloudsecurityscanner. scans. delete
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
cloudsecurityscanner.scans.run
cloudsecurityscanner. scans. update
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Web Security Scanner Runner
(roles/ cloudsecurityscanner.runner
)
Read access to Scan and ScanRun, plus the ability to start scans
Lowest-level resources where you can grant this role:
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. list
cloudsecurityscanner. scanruns. stop
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
cloudsecurityscanner.scans.run
Web Security Scanner Viewer
(roles/ cloudsecurityscanner.viewer
)
Read access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner.results.*
cloudsecurityscanner. results. get
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Para mais informações sobre papéis do IAM, consulte
Noções básicas sobre papéis .