Halaman ini menjelaskan cara menggunakan Identity and Access Management (IAM) untuk mengontrol akses ke resource dalam aktivasi Security Command Center tingkat organisasi .
Halaman ini relevan bagi Anda jika salah satu kondisi berikut berlaku:
Security Command Center diaktifkan di level organisasi, bukan di level project.
Security Command Center Standar sudah diaktifkan di tingkat organisasi.
Selain itu, Anda mengaktifkan Security Command Center Premium di satu atau beberapa project.
Jika Anda mengaktifkan Security Command Center di level project, bukan di level organisasi, lihat IAM untuk aktivasi level project .
Pada aktivasi Security Command Center tingkat organisasi, Anda dapat mengontrol akses ke resource di berbagai level hierarki resource. Security Command Center menggunakan peran IAM agar Anda dapat mengontrol siapa yang dapat melakukan apa pada aset, temuan, dan sumber keamanan di lingkungan Security Command Center Anda. Anda memberikan peran kepada individu dan aplikasi,
dan setiap peran memberikan izin khusus.
Izin
Untuk menyiapkan Security Command Center atau mengubah konfigurasi organisasi, Anda memerlukan kedua peran berikut di tingkat organisasi :
Admin Organisasi (roles/resourcemanager.organizationAdmin
)
Admin Pusat Keamanan (roles/securitycenter.admin
)
Jika pengguna tidak memerlukan izin edit, pertimbangkan untuk memberikan peran
penampil.
Untuk melihat semua aset, temuan, dan jalur serangan di Security Command Center, pengguna memerlukan peran Security Center Admin Viewer (roles/securitycenter.adminViewer
) di tingkat organisasi.
Untuk melihat setelan, pengguna memerlukan peran Security Center Admin
(roles/securitycenter.admin
) di tingkat organisasi.
Untuk membatasi akses ke masing-masing folder dan project, jangan berikan semua peran di level organisasi. Sebagai gantinya, berikan peran berikut di level folder
atau project :
Pengakses Aset Pusat Keamanan (roles/securitycenter.assetsViewer
)
Penampil Temuan Pusat Keamanan (roles/securitycenter.findingsViewer
)
Peran tingkat organisasi
Saat peran IAM diterapkan pada level organisasi, project dan folder di bawah organisasi tersebut akan mewarisi binding perannya .
Gambar berikut mengilustrasikan hierarki resource Security Command Center standar dengan peran yang diberikan di tingkat organisasi.
Hierarki resource dan peran tingkat organisasi Security Command Center (klik untuk memperbesar)
Peran IAM mencakup izin untuk melihat, mengedit, memperbarui, membuat, atau menghapus resource. Peran yang diberikan pada tingkat organisasi di Security Command Center memungkinkan Anda melakukan tindakan yang ditentukan pada temuan, aset, dan sumber keamanan di seluruh organisasi. Misalnya, pengguna yang diberi peran Security Center
Findings Editor (roles/securitycenter.findingsEditor
) dapat melihat atau mengedit
temuan yang dilampirkan ke resource apa pun di project atau folder mana pun di organisasi Anda.
Dengan struktur ini, Anda tidak perlu memberikan peran kepada pengguna di setiap folder atau project.
Untuk mengetahui petunjuk cara mengelola peran dan izin, lihat Mengelola akses ke project, folder, dan organisasi .
Peran tingkat organisasi tidak cocok untuk semua kasus penggunaan, terutama untuk
aplikasi sensitif atau standar kepatuhan yang memerlukan kontrol akses
yang ketat. Untuk membuat kebijakan akses yang terperinci, Anda dapat memberikan peran pada tingkat folder dan project.
Peran level folder dan level project
Dengan Security Command Center, Anda dapat memberikan peran IAM Security Command Center untuk folder dan project tertentu, yang membuat beberapa tampilan, atau silo, dalam organisasi Anda. Anda memberi pengguna dan grup akses yang berbeda serta mengedit izin ke folder dan project di seluruh organisasi.
Video berikut menjelaskan cara memberikan peran tingkat folder dan level project, serta cara mengelolanya di dasbor Security Command Center.
Dengan peran folder dan project, pengguna dengan peran Security Command Center memiliki kemampuan untuk mengelola aset dan temuan dalam project atau folder yang ditetapkan. Misalnya, engineer keamanan dapat diberi akses terbatas ke folder dan project tertentu, sementara administrator keamanan dapat mengelola semua resource di tingkat organisasi.
Peran folder dan project memungkinkan izin Security Command Center diterapkan pada
tingkat yang lebih rendah dalam hierarki resource organisasi Anda, tetapi tidak mengubah
hierarki tersebut. Gambar berikut mengilustrasikan pengguna yang memiliki izin Security Command Center untuk mengakses temuan di project tertentu.
Hierarki resource dan peran level project Security Command Center - item dengan garis putus-putus tidak dapat diakses (klik untuk memperbesar)
Pengguna dengan peran folder dan project akan melihat subset resource organisasi.
Setiap tindakan yang mereka ambil terbatas pada cakupan yang sama. Misalnya, jika pengguna memiliki
izin untuk suatu folder, mereka dapat mengakses resource di project mana pun di
folder tersebut. Izin untuk suatu project memberi pengguna akses ke resource dalam project tersebut.
Untuk mengetahui petunjuk cara mengelola peran dan izin, lihat Mengelola akses ke project, folder, dan organisasi .
Pembatasan peran
Dengan memberikan peran Security Command Center pada level folder atau project, administrator Security Command Center dapat melakukan hal berikut:
Membatasi izin tampilan atau edit pada Security Command Center ke folder dan project tertentu
Berikan izin lihat dan edit untuk grup aset atau temuan kepada pengguna atau tim tertentu
Membatasi kemampuan untuk melihat atau mengedit detail temuan, termasuk update
pada tanda keamanan dan status temuan, untuk individu atau grup yang memiliki akses ke
penemuan yang mendasarinya
Mengontrol akses ke setelan Security Command Center, yang hanya dapat dilihat oleh orang dengan peran tingkat organisasi
Fungsi Security Command Center
Fungsi Security Command Center juga dibatasi berdasarkan izin lihat dan edit.
Di konsol Google Cloud, Security Command Center memungkinkan setiap orang yang tidak memiliki izin tingkat organisasi untuk hanya memilih resource yang aksesnya mereka miliki. Pilihannya akan memperbarui semua elemen antarmuka pengguna, termasuk aset, temuan, dan kontrol setelan. Pengguna akan melihat hak istimewa yang melekat pada peran mereka dan apakah mereka dapat mengakses atau mengedit temuan pada cakupan mereka saat ini.
Security Command Center API dan Google Cloud CLI juga membatasi fungsi ke folder dan project yang ditentukan. Jika panggilan untuk mencantumkan atau mengelompokkan aset dan temuan dibuat oleh pengguna yang diberi peran folder atau project, hanya temuan atau aset pada cakupan tersebut yang akan ditampilkan.
Untuk aktivasi Security Command Center tingkat organisasi, panggilan untuk membuat atau memperbarui temuan dan menemukan notifikasi hanya mendukung cakupan organisasi.
Anda memerlukan peran tingkat organisasi untuk melakukan tugas ini.
Untuk melihat jalur serangan yang dihasilkan oleh simulasi jalur serangan, izin yang sesuai harus diberikan di level organisasi dan tampilan Konsol Google Cloud harus ditetapkan ke organisasi.
Referensi bagi orang tua untuk temuan
Biasanya, temuan melekat pada resource, seperti virtual machine (VM)
atau firewall. Security Command Center melampirkan temuan ke penampung yang paling cepat untuk resource yang menghasilkan temuan tersebut. Misalnya, jika VM menghasilkan temuan, temuan tersebut dilampirkan ke project yang berisi VM tersebut. Temuan yang tidak terhubung ke resource Google Cloud akan dilampirkan ke organisasi dan dapat dilihat oleh siapa saja yang memiliki izin Security Command Center tingkat organisasi.
Peran IAM di Security Command Center
Berikut adalah daftar peran IAM yang tersedia untuk Security Command Center beserta izin yang disertakan di dalamnya. Security Command Center mendukung pemberian peran ini di level organisasi, folder, atau project.
Role
Permissions
Security Center Admin
(roles/ securitycenter.admin
)
Admin(super user) access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry. dockerimages.*
artifactregistry. dockerimages. get
artifactregistry. dockerimages. list
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.locations.get
artifactregistry. locations. list
artifactregistry. mavenartifacts.*
artifactregistry. mavenartifacts. get
artifactregistry. mavenartifacts. list
artifactregistry.npmpackages.*
artifactregistry. npmpackages. get
artifactregistry. npmpackages. list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. pythonpackages. get
artifactregistry. pythonpackages. list
artifactregistry. repositories. create
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.*
assuredoss.config.get
assuredoss.customers.create
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudsecurityscanner.*
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner. results. get
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner. scanruns. stop
cloudsecurityscanner. scans. create
cloudsecurityscanner. scans. delete
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
cloudsecurityscanner.scans.run
cloudsecurityscanner. scans. update
compute.addresses.list
iam.serviceAccountKeys.create
iam.serviceAccounts.create
iam.serviceAccounts.get
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.create
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.*
securitycenter.assets.group
securitycenter.assets.list
securitycenter. assets. listAssetPropertyNames
securitycenter. assets. runDiscovery
securitycenter. assetsecuritymarks. update
securitycenter. attackpaths. list
securitycenter. bigQueryExports. create
securitycenter. bigQueryExports. delete
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. bigQueryExports. update
securitycenter. compliancesnapshots. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. containerthreatdetectionsettings. update
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. eventthreatdetectionsettings. update
securitycenter. exposurepathexplan. get
securitycenter. findingexplanations. get
securitycenter. findingexternalsystems. update
securitycenter. findings. bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. findings. setMute
securitycenter. findings. setState
securitycenter. findings. setWorkflowState
securitycenter.findings.update
securitycenter. findingsecuritymarks. update
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter. integratedvulnerabilityscannersettings. update
securitycenter. muteconfigs. create
securitycenter. muteconfigs. delete
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. muteconfigs. update
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. notificationconfig. update
securitycenter. organizationsettings. get
securitycenter. organizationsettings. update
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. update
securitycenter. resourcevalueconfigs. create
securitycenter. resourcevalueconfigs. delete
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
securitycenter. resourcevalueconfigs. update
securitycenter. securitycentersettings. get
securitycenter. securitycentersettings. update
securitycenter. securityhealthanalyticscustommodules. create
securitycenter. securityhealthanalyticscustommodules. delete
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. simulate
securitycenter. securityhealthanalyticscustommodules. test
securitycenter. securityhealthanalyticscustommodules. update
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. securityhealthanalyticssettings. update
securitycenter.simulations.get
securitycenter.sources.get
securitycenter. sources. getIamPolicy
securitycenter.sources.list
securitycenter. sources. setIamPolicy
securitycenter.sources.update
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. valuedresources. list
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. virtualmachinethreatdetectionsettings. update
securitycenter. vulnerabilitysnapshots. list
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycenter. websecurityscannersettings. update
securitycentermanagement.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. create
securitycentermanagement. eventThreatDetectionCustomModules. delete
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. update
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCenterServices. update
securitycentermanagement. securityCommandCenter. activate
securitycentermanagement. securityCommandCenter. checkActivationOperation
securitycentermanagement. securityCommandCenter. checkEligibility
securitycentermanagement. securityCommandCenter. generateServiceAccounts
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityCommandCenter. update
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
securitycentermanagement. securityHealthAnalyticsCustomModules. update
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Security Center Admin Editor
(roles/ securitycenter.adminEditor
)
Admin Read-write access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry. dockerimages.*
artifactregistry. dockerimages. get
artifactregistry. dockerimages. list
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.locations.get
artifactregistry. locations. list
artifactregistry. mavenartifacts.*
artifactregistry. mavenartifacts. get
artifactregistry. mavenartifacts. list
artifactregistry.npmpackages.*
artifactregistry. npmpackages. get
artifactregistry. npmpackages. list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. pythonpackages. get
artifactregistry. pythonpackages. list
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.*
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudsecurityscanner.*
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner. results. get
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner. scanruns. stop
cloudsecurityscanner. scans. create
cloudsecurityscanner. scans. delete
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
cloudsecurityscanner.scans.run
cloudsecurityscanner. scans. update
compute.addresses.list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.*
securitycenter.assets.group
securitycenter.assets.list
securitycenter. assets. listAssetPropertyNames
securitycenter. assets. runDiscovery
securitycenter. assetsecuritymarks. update
securitycenter. attackpaths. list
securitycenter. bigQueryExports.*
securitycenter. bigQueryExports. create
securitycenter. bigQueryExports. delete
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. bigQueryExports. update
securitycenter. compliancesnapshots. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. exposurepathexplan. get
securitycenter. findingexplanations. get
securitycenter. findingexternalsystems. update
securitycenter.findings.*
securitycenter. findings. bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. findings. setMute
securitycenter. findings. setState
securitycenter. findings. setWorkflowState
securitycenter.findings.update
securitycenter. findingsecuritymarks. update
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter.muteconfigs.*
securitycenter. muteconfigs. create
securitycenter. muteconfigs. delete
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. muteconfigs. update
securitycenter. notificationconfig.*
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. notificationconfig. update
securitycenter. organizationsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. resourcevalueconfigs.*
securitycenter. resourcevalueconfigs. create
securitycenter. resourcevalueconfigs. delete
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
securitycenter. resourcevalueconfigs. update
securitycenter. securitycentersettings. get
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. simulate
securitycenter. securityhealthanalyticscustommodules. test
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. valuedresources. list
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. vulnerabilitysnapshots. list
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCommandCenter. generateServiceAccounts
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityCommandCenter. update
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Admin Viewer
(roles/ securitycenter.adminViewer
)
Admin Read access to security center
Lowest-level resources where you can grant this role:
artifactregistry. dockerimages.*
artifactregistry. dockerimages. get
artifactregistry. dockerimages. list
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.locations.get
artifactregistry. locations. list
artifactregistry. mavenartifacts.*
artifactregistry. mavenartifacts. get
artifactregistry. mavenartifacts. list
artifactregistry.npmpackages.*
artifactregistry. npmpackages. get
artifactregistry. npmpackages. list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. pythonpackages. get
artifactregistry. pythonpackages. list
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.*
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner.results.*
cloudsecurityscanner. results. get
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter. assets. listAssetPropertyNames
securitycenter. attackpaths. list
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. compliancesnapshots. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. exposurepathexplan. get
securitycenter. findingexplanations. get
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. organizationsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
securitycenter. securitycentersettings. get
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. simulate
securitycenter. securityhealthanalyticscustommodules. test
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. valuedresources. list
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. vulnerabilitysnapshots. list
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Asset Security Marks Writer
(roles/ securitycenter.assetSecurityMarksWriter
)
Write access to asset security marks
Lowest-level resources where you can grant this role:
securitycenter. assetsecuritymarks. update
securitycenter. userinterfacemetadata. get
Security Center Assets Discovery Runner
(roles/ securitycenter.assetsDiscoveryRunner
)
Run asset discovery access to assets
Lowest-level resources where you can grant this role:
securitycenter. assets. runDiscovery
securitycenter. userinterfacemetadata. get
Security Center Assets Viewer
(roles/ securitycenter.assetsViewer
)
Read access to assets
Lowest-level resources where you can grant this role:
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
resourcemanager.folders.get
resourcemanager. organizations. get
resourcemanager.projects.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter. assets. listAssetPropertyNames
securitycenter. userinterfacemetadata. get
Security Center Attack Paths Reader
(roles/ securitycenter.attackPathsViewer
)
Read access to security center attack paths
securitycenter. attackpaths. list
Security Center BigQuery Exports Editor
(roles/ securitycenter.bigQueryExportsEditor
)
Read-Write access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports.*
securitycenter. bigQueryExports. create
securitycenter. bigQueryExports. delete
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. bigQueryExports. update
Security Center BigQuery Exports Viewer
(roles/ securitycenter.bigQueryExportsViewer
)
Read access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
Security Center Compliance Snapshots Viewer
Beta
(roles/ securitycenter.complianceSnapshotsViewer
)
Read access to security center compliance snapshots
securitycenter. compliancesnapshots. list
Security Center External Systems Editor
(roles/ securitycenter.externalSystemsEditor
)
Write access to security center external systems
securitycenter. findingexternalsystems. update
Security Center Finding Security Marks Writer
(roles/ securitycenter.findingSecurityMarksWriter
)
Write access to finding security marks
Lowest-level resources where you can grant this role:
securitycenter. findingsecuritymarks. update
securitycenter. userinterfacemetadata. get
Security Center Findings Bulk Mute Editor
(roles/ securitycenter.findingsBulkMuteEditor
)
Ability to mute findings in bulk
securitycenter. findings. bulkMuteUpdate
Security Center Findings Editor
(roles/ securitycenter.findingsEditor
)
Read-write access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager. organizations. get
resourcemanager.projects.get
securitycenter. compliancesnapshots. list
securitycenter. findingexplanations. get
securitycenter. findings. bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. findings. setMute
securitycenter. findings. setState
securitycenter.findings.update
securitycenter.sources.get
securitycenter.sources.list
securitycenter. userinterfacemetadata. get
securitycenter. vulnerabilitysnapshots. list
Security Center Findings Mute Setter
(roles/ securitycenter.findingsMuteSetter
)
Set mute access to findings
securitycenter. findings. setMute
Security Center Findings State Setter
(roles/ securitycenter.findingsStateSetter
)
Set state access to findings
Lowest-level resources where you can grant this role:
securitycenter. findings. setState
securitycenter. userinterfacemetadata. get
Security Center Findings Viewer
(roles/ securitycenter.findingsViewer
)
Read access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager. organizations. get
resourcemanager.projects.get
securitycenter. compliancesnapshots. list
securitycenter. findingexplanations. get
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
securitycenter. userinterfacemetadata. get
securitycenter. vulnerabilitysnapshots. list
Security Center Findings Workflow State Setter
Beta
(roles/ securitycenter.findingsWorkflowStateSetter
)
Set workflow state access to findings
Lowest-level resources where you can grant this role:
securitycenter. findings. setWorkflowState
securitycenter. userinterfacemetadata. get
Security Center Mute Configurations Editor
(roles/ securitycenter.muteConfigsEditor
)
Read-Write access to security center mute configurations
securitycenter.muteconfigs.*
securitycenter. muteconfigs. create
securitycenter. muteconfigs. delete
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. muteconfigs. update
Security Center Mute Configurations Viewer
(roles/ securitycenter.muteConfigsViewer
)
Read access to security center mute configurations
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
Security Center Notification Configurations Editor
(roles/ securitycenter.notificationConfigEditor
)
Write access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter. notificationconfig.*
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. notificationconfig. update
securitycenter. userinterfacemetadata. get
Security Center Notification Configurations Viewer
(roles/ securitycenter.notificationConfigViewer
)
Read access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. userinterfacemetadata. get
Security Center Resource Value Configurations Editor
(roles/ securitycenter.resourceValueConfigsEditor
)
Read-Write access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter. resourcevalueconfigs.*
securitycenter. resourcevalueconfigs. create
securitycenter. resourcevalueconfigs. delete
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
securitycenter. resourcevalueconfigs. update
Security Center Resource Value Configurations Viewer
(roles/ securitycenter.resourceValueConfigsViewer
)
Read access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
Security Health Analytics Custom Modules Tester
(roles/ securitycenter.securityHealthAnalyticsCustomModulesTester
)
Test access to Security Health Analytics Custom Modules
securitycenter. securityhealthanalyticscustommodules. simulate
securitycenter. securityhealthanalyticscustommodules. test
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
Security Center Settings Admin
(roles/ securitycenter.settingsAdmin
)
Admin(super user) access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports.*
securitycenter. bigQueryExports. create
securitycenter. bigQueryExports. delete
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. bigQueryExports. update
securitycenter. containerthreatdetectionsettings.*
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. containerthreatdetectionsettings. update
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings.*
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. eventthreatdetectionsettings. update
securitycenter. integratedvulnerabilityscannersettings.*
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter. integratedvulnerabilityscannersettings. update
securitycenter.muteconfigs.*
securitycenter. muteconfigs. create
securitycenter. muteconfigs. delete
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. muteconfigs. update
securitycenter. notificationconfig.*
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. notificationconfig. update
securitycenter. organizationsettings.*
securitycenter. organizationsettings. get
securitycenter. organizationsettings. update
securitycenter. rapidvulnerabilitydetectionsettings.*
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. update
securitycenter. securitycentersettings.*
securitycenter. securitycentersettings. get
securitycenter. securitycentersettings. update
securitycenter. securityhealthanalyticscustommodules. create
securitycenter. securityhealthanalyticscustommodules. delete
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. update
securitycenter. securityhealthanalyticssettings.*
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. securityhealthanalyticssettings. update
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. virtualmachinethreatdetectionsettings.*
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. virtualmachinethreatdetectionsettings. update
securitycenter. websecurityscannersettings.*
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycenter. websecurityscannersettings. update
securitycentermanagement.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. create
securitycentermanagement. eventThreatDetectionCustomModules. delete
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. update
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCenterServices. update
securitycentermanagement. securityCommandCenter. activate
securitycentermanagement. securityCommandCenter. checkActivationOperation
securitycentermanagement. securityCommandCenter. checkEligibility
securitycentermanagement. securityCommandCenter. generateServiceAccounts
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityCommandCenter. update
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
securitycentermanagement. securityHealthAnalyticsCustomModules. update
Security Center Settings Editor
(roles/ securitycenter.settingsEditor
)
Read-Write access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports.*
securitycenter. bigQueryExports. create
securitycenter. bigQueryExports. delete
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. bigQueryExports. update
securitycenter. containerthreatdetectionsettings.*
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. containerthreatdetectionsettings. update
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings.*
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. eventthreatdetectionsettings. update
securitycenter. integratedvulnerabilityscannersettings.*
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter. integratedvulnerabilityscannersettings. update
securitycenter.muteconfigs.*
securitycenter. muteconfigs. create
securitycenter. muteconfigs. delete
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. muteconfigs. update
securitycenter. notificationconfig.*
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. notificationconfig. update
securitycenter. organizationsettings.*
securitycenter. organizationsettings. get
securitycenter. organizationsettings. update
securitycenter. rapidvulnerabilitydetectionsettings.*
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. update
securitycenter. securitycentersettings.*
securitycenter. securitycentersettings. get
securitycenter. securitycentersettings. update
securitycenter. securityhealthanalyticscustommodules. create
securitycenter. securityhealthanalyticscustommodules. delete
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. update
securitycenter. securityhealthanalyticssettings.*
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. securityhealthanalyticssettings. update
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. virtualmachinethreatdetectionsettings.*
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. virtualmachinethreatdetectionsettings. update
securitycenter. websecurityscannersettings.*
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycenter. websecurityscannersettings. update
securitycentermanagement.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. create
securitycentermanagement. eventThreatDetectionCustomModules. delete
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. update
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCenterServices. update
securitycentermanagement. securityCommandCenter. activate
securitycentermanagement. securityCommandCenter. checkActivationOperation
securitycentermanagement. securityCommandCenter. checkEligibility
securitycentermanagement. securityCommandCenter. generateServiceAccounts
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityCommandCenter. update
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
securitycentermanagement. securityHealthAnalyticsCustomModules. update
Security Center Settings Viewer
(roles/ securitycenter.settingsViewer
)
Read access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. organizationsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. securitycentersettings. get
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
Security Center Simulations Reader
(roles/ securitycenter.simulationsViewer
)
Read access to security center simulations
securitycenter.simulations.get
Security Center Sources Admin
(roles/ securitycenter.sourcesAdmin
)
Admin access to sources
Lowest-level resources where you can grant this role:
resourcemanager. organizations. get
securitycenter.sources.*
securitycenter.sources.get
securitycenter. sources. getIamPolicy
securitycenter.sources.list
securitycenter. sources. setIamPolicy
securitycenter.sources.update
securitycenter. userinterfacemetadata. get
Security Center Sources Editor
(roles/ securitycenter.sourcesEditor
)
Read-write access to sources
Lowest-level resources where you can grant this role:
resourcemanager. organizations. get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter. userinterfacemetadata. get
Security Center Sources Viewer
(roles/ securitycenter.sourcesViewer
)
Read access to sources
Lowest-level resources where you can grant this role:
resourcemanager. organizations. get
securitycenter.sources.get
securitycenter.sources.list
securitycenter. userinterfacemetadata. get
Security Center Valued Resources Reader
(roles/ securitycenter.valuedResourcesViewer
)
Read access to security center valued resources
securitycenter. valuedresources. list
Peran IAM dalam layanan postur keamanan
Berikut adalah daftar peran dan izin IAM yang tersedia untuk fitur layanan dan infrastruktur postur keamanan sebagai validasi kode.
Anda dapat memberikan peran ini di tingkat organisasi, folder, atau project.
Perhatikan bahwa peran Security Posture Admin hanya tersedia di tingkat organisasi.
Peran
Izin
Admin Postur Keamanan
(roles/ securityposture.admin
)
Akses penuh ke Security Posture Service API.
orgpolicy.*
orgpolicy.constraints.list
orgpolicy. customConstraints. create
orgpolicy. customConstraints. delete
orgpolicy. customConstraints. get
orgpolicy. customConstraints. list
orgpolicy. customConstraints. update
orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update
orgpolicy.policy.get
orgpolicy.policy.set
resourcemanager. organizations. get
securitycenter. securityhealthanalyticssettings.*
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. securityhealthanalyticssettings. update
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. update
securityposture.*
securityposture.locations.get
securityposture.locations.list
securityposture. operations. delete
securityposture.operations.get
securityposture. operations. list
securityposture. postureDeployments. create
securityposture. postureDeployments. delete
securityposture. postureDeployments. get
securityposture. postureDeployments. list
securityposture. postureDeployments. update
securityposture. postureTemplates. get
securityposture. postureTemplates. list
securityposture. postures. create
securityposture. postures. delete
securityposture. postures. extract
securityposture.postures.get
securityposture.postures.list
securityposture. postures. update
securityposture.reports.create
securityposture.reports.get
securityposture.reports.list
Editor Referensi Postur Keamanan
(roles/ securityposture.postureEditor
)
Mutasi dan baca izin ke resource Postur.
securityposture.operations.get
securityposture.postures.*
securityposture. postures. create
securityposture. postures. delete
securityposture. postures. extract
securityposture.postures.get
securityposture.postures.list
securityposture. postures. update
Pen-deploy Postur Keamanan
(roles/ securityposture.postureDeployer
)
Mutasi dan baca izin ke resource Posture Deployment.
orgpolicy.*
orgpolicy.constraints.list
orgpolicy. customConstraints. create
orgpolicy. customConstraints. delete
orgpolicy. customConstraints. get
orgpolicy. customConstraints. list
orgpolicy. customConstraints. update
orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update
orgpolicy.policy.get
orgpolicy.policy.set
resourcemanager. organizations. get
securitycenter. securityhealthanalyticssettings.*
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. securityhealthanalyticssettings. update
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. update
securityposture.operations.get
securityposture. postureDeployments.*
securityposture. postureDeployments. create
securityposture. postureDeployments. delete
securityposture. postureDeployments. get
securityposture. postureDeployments. list
securityposture. postureDeployments. update
{i>Security Posture Resource Viewer<i}
(roles/ securityposture.postureViewer
)
Akses hanya baca ke resource Posture.
resourcemanager. organizations. get
securityposture.operations.get
securityposture.postures.get
securityposture.postures.list
Penampil Deployment Postur Keamanan
(roles/ securityposture.postureDeploymentsViewer
)
Akses hanya baca ke resource Posture Deployment.
resourcemanager. organizations. get
securityposture.operations.get
securityposture. postureDeployments. get
securityposture. postureDeployments. list
Validator Shift Postur Keamanan di Kiri
(roles/ securityposture.reportCreator
)
Buat akses untuk Laporan, misalnya Laporan Validasi IaC.
securityposture.operations.get
securityposture.reports.*
securityposture.reports.create
securityposture.reports.get
securityposture.reports.list
Penampil Postur Keamanan
(roles/ securityposture.viewer
)
Akses hanya baca ke semua resource SecurityPosture Service.
resourcemanager. organizations. get
securityposture.operations.get
securityposture. postureDeployments. get
securityposture. postureDeployments. list
securityposture. postureTemplates.*
securityposture. postureTemplates. get
securityposture. postureTemplates. list
securityposture.postures.get
securityposture.postures.list
Peran agen layanan
Agen layanan adalah akun layanan yang dikelola Google yang memungkinkan layanan
mengakses resource Anda.
Saat mengaktifkan Security Command Center, dua agen layanan akan dibuat untuk Anda:
service-org-ORGANIZATION_ID @security-center-api.iam.gserviceaccount.com
.
Agen layanan ini memerlukan peran IAM roles/securitycenter.serviceAgent
.
service-org-ORGANIZATION_ID @gcp-sa-ktd-hpsa.iam.gserviceaccount.com
.
Agen layanan ini memerlukan peran IAM roles/containerthreatdetection.serviceAgent
.
Selama proses aktivasi Security Command Center, Anda akan diminta untuk memberikan satu atau beberapa peran IAM yang diperlukan kepada setiap agen layanan. Pemberian peran ke setiap agen layanan diperlukan agar Security Command Center dapat berfungsi.
Untuk melihat izin setiap peran, lihat hal berikut:
Untuk memberikan peran, Anda harus memiliki peran roles/resourcemanager.organizationAdmin
.
Jika Anda tidak memiliki peran roles/resourcemanager.organizationAdmin
, administrator organisasi Anda dapat memberikan peran kepada agen layanan menggunakan perintah gcloud CLI berikut:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member="SERVICE_AGENT_NAME " \
--role="IAM_ROLE "
Ganti kode berikut:
ORGANIZATION_ID
: ID organisasi Anda
SERVICE_AGENT_NAME
: nama agen layanan
yang Anda berikan peran. Nama tersebut adalah salah satu
nama agen layanan berikut:
service-org-ORGANIZATION_ID @security-center-api.iam.gserviceaccount.com
service-org-ORGANIZATION_ID @gcp-sa-ktd-hpsa.iam.gserviceaccount.com
IAM_ROLE
: peran yang diperlukan berikut
yang sesuai dengan agen layanan yang ditentukan:
roles/securitycenter.serviceAgent
roles/containerthreatdetection.serviceAgent
Untuk mengetahui informasi selengkapnya tentang peran IAM, baca artikel memahami peran .
Web Security Scanner
Peran IAM menentukan cara Anda dapat menggunakan Web Security Scanner. Tabel di bawah ini mencakup setiap peran IAM yang tersedia untuk Web Security Scanner dan metode yang tersedia untuk peran tersebut. Berikan peran ini di level project .
Untuk memberi pengguna kemampuan membuat dan mengelola pemindaian keamanan, Anda perlu menambahkan pengguna ke project dan memberi mereka izin menggunakan peran tersebut.
Web Security Scanner mendukung peran dasar dan peran standar yang memberikan akses yang lebih terperinci ke resource Web Security Scanner.
Peran IAM dasar
Berikut ini penjelasan tentang izin Web Security Scanner yang diberikan
berdasarkan peran dasar.
Peran
Deskripsi
Pemilik
Akses penuh ke semua resource Web Security Scanner
Editor
Akses penuh ke semua resource Web Security Scanner
Pengakses lihat saja
Tidak ada akses ke Web Security Scanner
Peran IAM yang telah ditetapkan
Berikut ini penjelasan tentang izin Web Security Scanner yang diberikan
oleh peran Web Security Scanner.
Role
Permissions
Web Security Scanner Editor
(roles/ cloudsecurityscanner.editor
)
Full access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
appengine.applications.get
cloudsecurityscanner.*
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner. results. get
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner. scanruns. stop
cloudsecurityscanner. scans. create
cloudsecurityscanner. scans. delete
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
cloudsecurityscanner.scans.run
cloudsecurityscanner. scans. update
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Web Security Scanner Runner
(roles/ cloudsecurityscanner.runner
)
Read access to Scan and ScanRun, plus the ability to start scans
Lowest-level resources where you can grant this role:
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. list
cloudsecurityscanner. scanruns. stop
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
cloudsecurityscanner.scans.run
Web Security Scanner Viewer
(roles/ cloudsecurityscanner.viewer
)
Read access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner.results.*
cloudsecurityscanner. results. get
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Untuk mengetahui informasi selengkapnya tentang peran IAM, baca artikel memahami peran .