本页面介绍了如何使用 Identity and Access Management (IAM) 控制 Security Command Center 组织级激活中资源的访问权限。如果满足以下任一条件,则此页面与您相关:
- Security Command Center 在组织级而不是项目级激活。
- Security Command Center 标准级层已在组织级层激活。此外,您已在一个或多个项目中激活 Security Command Center 高级方案。
如果您在项目级而不是组织级激活了 Security Command Center,请参阅适用于项目级激活的 IAM。
在 Security Command Center 的组织级激活中,您可以控制资源层次结构不同级层对资源的访问权限。您可以通过 Security Command Center 的 IAM 角色来控制谁可以对 Security Command Center 环境中的资源、发现结果和安全来源执行哪些操作。您可以向个人和应用授予角色,每个角色提供特定权限。
权限
激活所需的权限
如需激活 Security Command Center,请根据您的服务层级查看以下内容之一。
持续管理和使用所需的权限
本部分介绍了管理和使用 Security Command Center 高级和标准层级所需的权限。如需了解 Security Command Center Enterprise,请参阅配置 Security Command Center Enterprise 持续使用的权限
如需更改组织的配置,您需要在组织级同时拥有以下两个角色:
- Organization Administrator (
roles/resourcemanager.organizationAdmin
) - Security Center Admin (
roles/securitycenter.admin
)
如果用户不需要修改权限,请考虑授予其查看者角色。
如需在 Security Command Center 中查看所有资源、发现结果和攻击路径,用户需要在组织级具有 Security Center Admin Viewer (roles/securitycenter.adminViewer
) 角色。
如需查看设置,用户需要在组织级具有 Security Center Admin (roles/securitycenter.admin
) 角色。
如需限制对各个文件夹和项目的访问权限,请不要在组织级授予所有角色。请改为在文件夹或 项目级授予以下角色:
- Security Center Assets Viewer (
roles/securitycenter.assetsViewer
) - Security Center Findings Viewer (
roles/securitycenter.findingsViewer
)
每项检测服务可能需要额外的权限才能启用或配置它。如需了解详情,请参阅每项服务的专用文档。
组织级角色
在组织级层应用 IAM 角色时,该组织下的项目和文件夹会继承其角色绑定。
下图展示了在组织级层授予角色的典型 Security Command Center 资源层次结构。

IAM 角色包含查看、修改、更新、创建或删除资源的权限。在 Security Command Center 中授予组织级角色,可让您对整个组织中的发现结果、资产和安全来源执行规定的操作。例如,授予了 Security Center Findings Editor 角色 (roles/securitycenter.findingsEditor
) 的用户可以查看或修改附加到项目的任何项目或文件夹中的任何资源的发现结果。使用此结构,您无需在每个文件夹或项目中授予用户角色。
如需了解如何管理角色和权限,请参阅管理对项目、文件夹和组织的访问权限。
组织级角色并不适用于所有使用场景,尤其是对于需要严格的访问权限控制的敏感应用或合规性标准。如需创建精细的访问权限政策,您可以在文件夹和项目级层授予角色。
文件夹级和项目级角色
通过 Security Command Center,您可以为组织内的特定文件夹和项目授予 Security Command Center IAM 角色,从而创建多个视图或孤岛。您可以向用户和群组授予对组织内的文件夹和项目的不同访问权限和修改权限。
以下视频介绍了如何授予文件夹级和项目级角色,以及如何在 Security Command Center 控制台内管理这些角色。
通过文件夹和项目角色,具有 Security Command Center 角色的用户能够管理指定项目或文件夹中的资源和发现结果。例如,安全工程师可被授予部分文件夹和项目的有限访问权限,而安全管理员可以管理组织级层的所有资源。
借助文件夹角色和项目角色,您可以在组织资源层次结构的较低级层应用 Security Command Center 权限,但不会更改层次结构。下图展示了一个具有访问某个特定项目中发现结果的 Security Command Center 权限的用户。

具有文件夹和项目角色的用户可以查看组织资源的子集。他们执行的任何操作均限于相同的范围。例如,如果用户拥有某个文件夹的权限,则可以访问文件夹内任何项目的资源。用户可通过项目权限访问该项目中的资源。
如需了解如何管理角色和权限,请参阅管理对项目、文件夹和组织的访问权限。
角色限制
在文件夹或项目级层授予 Security Command Center 角色后,Security Command Center 管理员可以执行以下操作:
- 限制 Security Command Center 视图或修改特定文件夹和项目的权限
- 向特定用户或团队授予对一组资源或发现结果的查看或修改权限
- 仅限有权访问底层发现结果的个人或群组查看或修改详细信息(包括更新安全标记和发现结果状态)
- 控制对 Security Command Center 设置的访问权限,只有具有组织级层角色的个人才能查看这些设置
Security Command Center 功能
可用的 Security Command Center 功能也取决于查看和修改权限。
在 Google Cloud 控制台中,Security Command Center 允许没有组织级层权限的用户仅选择他们有权访问的资源。用户所做的选择会更新界面的所有元素,包括资源、发现结果和设置控件。用户可以看到与其角色关联的权限,以及是否能够访问或修改当前范围内的发现结果。
Security Command Center API 和 Google Cloud CLI 还限制函数只能在规定的文件夹和项目中使用。如果用于列出资源和发现结果或对其进行分组的调用是由具有文件夹或项目角色的用户发出的,则系统只会返回这些范围内的发现结果或资源。
对于 Security Command Center 的组织级激活,创建或更新发现结果和发现结果通知的调用仅支持组织范围。您需要组织级角色才能执行这些任务。
如需查看通过攻击路径模拟生成的攻击路径,必须在组织级层授予适当的权限,并将 Google Cloud 控制台视图设置为组织。
发现结果的父级资源
发现结果通常会关联到资源,例如虚拟机或防火墙。Security Command Center 将发现结果与生成发现结果的资源的最直接容器关联。例如,如果一个虚拟机生成发现结果,则该发现结果将关联到包含该虚拟机的项目。未连接到 Google Cloud 资源的发现结果将关联到组织,并对具有组织级 Security Command Center 权限的所有人可见。
Security Command Center 角色
Security Command Center 提供以下 IAM 角色。您可以在组织、文件夹或项目级授予这些角色。
Role | Permissions |
---|---|
Security Center Admin( Admin(super user) access to security center Lowest-level resources where you can grant this role:
|
|
Security Center Admin Editor( Admin Read-write access to security center Lowest-level resources where you can grant this role:
|
|
Security Center Admin Viewer( Admin Read access to security center Lowest-level resources where you can grant this role:
|
|
Security Center Asset Security Marks Writer( Write access to asset security marks Lowest-level resources where you can grant this role:
|
|
Security Center Assets Discovery Runner( Run asset discovery access to assets Lowest-level resources where you can grant this role:
|
|
Security Center Assets Viewer( Read access to assets Lowest-level resources where you can grant this role:
|
|
Security Center Attack Paths Reader( Read access to security center attack paths |
|
Attack Surface Management Scanner Service Agent( Gives Mandiant Attack Surface Management the ability to scan Cloud Platform resources. |
|
Security Center Automation Service Agent( Security Center automation service agent can configure GCP resources to enable security scanning. |
|
Security Center BigQuery Exports Editor( Read-Write access to security center BigQuery Exports |
|
Security Center BigQuery Exports Viewer( Read access to security center BigQuery Exports |
|
Security Center Compliance Reports Viewer Beta( Read access to security center compliance reports |
|
Security Center Compliance Snapshots Viewer Beta( Read access to security center compliance snapshots |
|
Security Center Control Service Agent( Security Center Control service agent can monitor and configure GCP resources and import security findings. |
|
Security Center External Systems Editor( Write access to security center external systems |
|
Security Center Finding Security Marks Writer( Write access to finding security marks Lowest-level resources where you can grant this role:
|
|
Security Center Findings Bulk Mute Editor( Ability to mute findings in bulk |
|
Security Center Findings Editor( Read-write access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Findings Mute Setter( Set mute access to findings |
|
Security Center Findings State Setter( Set state access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Findings Viewer( Read access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Findings Workflow State Setter Beta( Set workflow state access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Integration Executor Service Agent( Gives Security Center access to execute Integrations. |
|
Security Center Issues Editor( Write access to security center issues |
|
Security Center Issues Viewer( Read access to security center issues |
|
Security Center Mute Configurations Editor( Read-Write access to security center mute configurations |
|
Security Center Mute Configurations Viewer( Read access to security center mute configurations |
|
Security Center Notification Configurations Editor( Write access to notification configurations Lowest-level resources where you can grant this role:
|
|
Security Center Notification Configurations Viewer( Read access to notification configurations Lowest-level resources where you can grant this role:
|
|
Security Center Notification Service Agent( Security Center service agent can publish notifications to Pub/Sub topics. |
|
Security Center Resource Value Configurations Editor( Read-Write access to security center resource value configurations |
|
Security Center Resource Value Configurations Viewer( Read access to security center resource value configurations |
|
Security Health Analytics Custom Modules Tester( Test access to Security Health Analytics Custom Modules |
|
Security Health Analytics Service Agent( Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities. |
|
Google Cloud Security Response Service Agent( Gives Playbook Runner permissions to execute all Google authored Playbooks. This role will keep evolving as we add more playbooks |
|
Security Center Service Agent( Security Center service agent can scan GCP resources and import security scans. |
|
Security Center Settings Admin( Admin(super user) access to security center settings Lowest-level resources where you can grant this role:
|
|
Security Center Settings Editor( Read-Write access to security center settings Lowest-level resources where you can grant this role:
|
|
Security Center Settings Viewer( Read access to security center settings Lowest-level resources where you can grant this role:
|
|
Security Center Simulations Reader( Read access to security center simulations |
|
Security Center Sources Admin( Admin access to sources Lowest-level resources where you can grant this role:
|
|
Security Center Sources Editor( Read-write access to sources Lowest-level resources where you can grant this role:
|
|
Security Center Sources Viewer( Read access to sources Lowest-level resources where you can grant this role:
|
|
Security Center Valued Resources Reader( Read access to security center valued resources |
|
Security Command Center Management API 角色
Security Command Center Management API 提供以下 IAM 角色。您可以在组织、文件夹或项目级授予这些角色。
Role | Permissions |
---|---|
Security Center Management Admin( Full access to manage Cloud Security Command Center services and custom modules configuration. |
|
Security Center Management Custom Modules Editor( Full access to manage Cloud Security Command Center custom modules. |
|
Security Center Management Custom Modules Viewer( Readonly access to Cloud Security Command Center custom modules. |
|
Security Center Management Custom ETD Modules Editor( Full access to manage Cloud Security Command Center ETD custom modules. |
|
Security Center Management ETD Custom Modules Viewer( Readonly access to Cloud Security Command Center ETD custom modules. |
|
Security Center Management Services Editor( Full access to manage Cloud Security Command Center services configuration. |
|
Security Center Management Services Viewer( Readonly access to Cloud Security Command Center services configuration. |
|
Security Center Management Settings Editor( Full access to manage Cloud Security Command Center settings |
|
Security Center Management Settings Viewer( Readonly access to Cloud Security Command Center settings |
|
Security Center Management SHA Custom Modules Editor( Full access to manage Cloud Security Command Center SHA custom modules. |
|
Security Center Management SHA Custom Modules Viewer( Readonly access to Cloud Security Command Center SHA custom modules. |
|
Security Center Management Viewer( Readonly access to Cloud Security Command Center services and custom modules configuration. |
|
合规管理器的 IAM 角色
下面列出了合规管理器服务可用的 IAM 角色和权限。您可以在组织、文件夹或项目级授予这些角色。
Role | Permissions |
---|---|
Compliance Manager Admin Beta( Full access to Compliance Manager resources. |
|
Cloud Security Compliance Service Agent( Gives CSC Service Account access to consumer resources. |
|
Compliance Manager Viewer Beta( Readonly access to Compliance Manager resources. |
|
Security Posture API 角色
以下 IAM 角色适用于 Security Posture API 及其基础设施即代码 (IaC) 验证功能。除非另有说明,否则您可以在组织、文件夹或项目级授予这些角色。
Role | Permissions |
---|---|
Security Posture Admin( Full access to Security Posture service APIs. Lowest-level resources where you can grant this role:
|
|
Security Posture Deployer( Mutate and read permissions to the Posture Deployment resource. |
|
Security Posture Deployments Viewer( Read only access to the Posture Deployment resource. |
|
Security Posture Resource Editor( Mutate and read permissions to the Posture resource. |
|
Security Posture Resource Viewer( Read only access to the Posture resource. |
|
Security Posture Shift-Left Validator( Create access for Reports, e.g. IaC Validation Report. |
|
Security Posture Viewer( Read only access to all the SecurityPosture Service resources. |
|
服务代理角色
服务代理允许服务访问您的资源。
激活 Security Command Center 后,系统会为您创建两个服务代理:
service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com
。此服务代理需要
roles/securitycenter.serviceAgent
IAM 角色。service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
。此服务代理需要
roles/containerthreatdetection.serviceAgent
IAM 角色。
在 Security Command Center 的激活过程中,系统会提示您向每个服务代理授予一个或多个必需的 IAM 角色。必须向每个服务代理授予角色,Security Command Center 才能正常运行。
如需查看每个角色的权限,请参阅以下内容:
如需授予这些角色,您必须具有 roles/resourcemanager.organizationAdmin
角色。
如果您没有 roles/resourcemanager.organizationAdmin
角色,您的组织管理员可以使用以下 gcloud CLI 命令为服务代理授予相应角色:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="SERVICE_AGENT_NAME" \ --role="IAM_ROLE"
替换以下内容:
ORGANIZATION_ID
:您的组织 ID。SERVICE_AGENT_NAME
:您要向其授予角色的服务代理的名称。此名称为以下服务代理名称之一:service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com
service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
IAM_ROLE
:与指定的服务代理对应的以下所需角色:roles/securitycenter.serviceAgent
roles/containerthreatdetection.serviceAgent
如需详细了解 IAM 角色,请参阅 了解角色。
Web Security Scanner 角色
Web Security Scanner 提供以下 IAM 角色。您可以在项目级授予这些角色。
Role | Permissions |
---|---|
Web Security Scanner Editor( Full access to all Web Security Scanner resources Lowest-level resources where you can grant this role:
|
|
Web Security Scanner Runner( Read access to Scan and ScanRun, plus the ability to start scans Lowest-level resources where you can grant this role:
|
|
Web Security Scanner Viewer( Read access to all Web Security Scanner resources Lowest-level resources where you can grant this role:
|
|
Cloud Web Security Scanner Service Agent( Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details. |
|