IAM untuk aktivasi tingkat organisasi

Halaman ini menjelaskan cara menggunakan Identity and Access Management (IAM) untuk mengontrol akses ke resource dalam aktivasi Security Command Center tingkat organisasi. Halaman ini relevan bagi Anda jika salah satu kondisi berikut berlaku:

  • Security Command Center diaktifkan di level organisasi, bukan di level project.
  • Security Command Center Standar sudah diaktifkan di tingkat organisasi. Selain itu, Anda mengaktifkan Security Command Center Premium di satu atau beberapa project.

Jika Anda mengaktifkan Security Command Center di level project, bukan di level organisasi, lihat IAM untuk aktivasi level project.

Pada aktivasi Security Command Center tingkat organisasi, Anda dapat mengontrol akses ke resource di berbagai level hierarki resource. Security Command Center menggunakan peran IAM agar Anda dapat mengontrol siapa yang dapat melakukan apa pada aset, temuan, dan sumber keamanan di lingkungan Security Command Center Anda. Anda memberikan peran kepada individu dan aplikasi, dan setiap peran memberikan izin khusus.

Izin

Untuk menyiapkan Security Command Center atau mengubah konfigurasi organisasi, Anda memerlukan kedua peran berikut di tingkat organisasi:

  • Admin Organisasi (roles/resourcemanager.organizationAdmin)
  • Admin Pusat Keamanan (roles/securitycenter.admin)

Jika pengguna tidak memerlukan izin edit, pertimbangkan untuk memberikan peran penampil.

Untuk melihat semua aset, temuan, dan jalur serangan di Security Command Center, pengguna memerlukan peran Security Center Admin Viewer (roles/securitycenter.adminViewer) di tingkat organisasi.

Untuk melihat setelan, pengguna memerlukan peran Security Center Admin (roles/securitycenter.admin) di tingkat organisasi.

Untuk membatasi akses ke masing-masing folder dan project, jangan berikan semua peran di level organisasi. Sebagai gantinya, berikan peran berikut di level folder atau project:

  • Pengakses Aset Pusat Keamanan (roles/securitycenter.assetsViewer)
  • Penampil Temuan Pusat Keamanan (roles/securitycenter.findingsViewer)

Peran tingkat organisasi

Saat peran IAM diterapkan pada level organisasi, project dan folder di bawah organisasi tersebut akan mewarisi binding perannya.

Gambar berikut mengilustrasikan hierarki resource Security Command Center standar dengan peran yang diberikan di tingkat organisasi.

Hierarki resource dan struktur izin Security Command Center
Hierarki resource dan peran tingkat organisasi Security Command Center (klik untuk memperbesar)

Peran IAM mencakup izin untuk melihat, mengedit, memperbarui, membuat, atau menghapus resource. Peran yang diberikan pada tingkat organisasi di Security Command Center memungkinkan Anda melakukan tindakan yang ditentukan pada temuan, aset, dan sumber keamanan di seluruh organisasi. Misalnya, pengguna yang diberi peran Security Center Findings Editor (roles/securitycenter.findingsEditor) dapat melihat atau mengedit temuan yang dilampirkan ke resource apa pun di project atau folder mana pun di organisasi Anda. Dengan struktur ini, Anda tidak perlu memberikan peran kepada pengguna di setiap folder atau project.

Untuk mengetahui petunjuk cara mengelola peran dan izin, lihat Mengelola akses ke project, folder, dan organisasi.

Peran tingkat organisasi tidak cocok untuk semua kasus penggunaan, terutama untuk aplikasi sensitif atau standar kepatuhan yang memerlukan kontrol akses yang ketat. Untuk membuat kebijakan akses yang terperinci, Anda dapat memberikan peran pada tingkat folder dan project.

Peran level folder dan level project

Dengan Security Command Center, Anda dapat memberikan peran IAM Security Command Center untuk folder dan project tertentu, yang membuat beberapa tampilan, atau silo, dalam organisasi Anda. Anda memberi pengguna dan grup akses yang berbeda serta mengedit izin ke folder dan project di seluruh organisasi.

Video berikut menjelaskan cara memberikan peran tingkat folder dan level project, serta cara mengelolanya di dasbor Security Command Center.

Dengan peran folder dan project, pengguna dengan peran Security Command Center memiliki kemampuan untuk mengelola aset dan temuan dalam project atau folder yang ditetapkan. Misalnya, engineer keamanan dapat diberi akses terbatas ke folder dan project tertentu, sementara administrator keamanan dapat mengelola semua resource di tingkat organisasi.

Peran folder dan project memungkinkan izin Security Command Center diterapkan pada tingkat yang lebih rendah dalam hierarki resource organisasi Anda, tetapi tidak mengubah hierarki tersebut. Gambar berikut mengilustrasikan pengguna yang memiliki izin Security Command Center untuk mengakses temuan di project tertentu.

Hierarki resource dan struktur izin Security Command Center
Hierarki resource dan peran level project Security Command Center - item dengan garis putus-putus tidak dapat diakses (klik untuk memperbesar)

Pengguna dengan peran folder dan project akan melihat subset resource organisasi. Setiap tindakan yang mereka ambil terbatas pada cakupan yang sama. Misalnya, jika pengguna memiliki izin untuk suatu folder, mereka dapat mengakses resource di project mana pun di folder tersebut. Izin untuk suatu project memberi pengguna akses ke resource dalam project tersebut.

Untuk mengetahui petunjuk cara mengelola peran dan izin, lihat Mengelola akses ke project, folder, dan organisasi.

Pembatasan peran

Dengan memberikan peran Security Command Center pada level folder atau project, administrator Security Command Center dapat melakukan hal berikut:

  • Membatasi izin tampilan atau edit pada Security Command Center ke folder dan project tertentu
  • Berikan izin lihat dan edit untuk grup aset atau temuan kepada pengguna atau tim tertentu
  • Membatasi kemampuan untuk melihat atau mengedit detail temuan, termasuk update pada tanda keamanan dan status temuan, untuk individu atau grup yang memiliki akses ke penemuan yang mendasarinya
  • Mengontrol akses ke setelan Security Command Center, yang hanya dapat dilihat oleh orang dengan peran tingkat organisasi

Fungsi Security Command Center

Fungsi Security Command Center juga dibatasi berdasarkan izin lihat dan edit.

Di konsol Google Cloud, Security Command Center memungkinkan setiap orang yang tidak memiliki izin tingkat organisasi untuk hanya memilih resource yang aksesnya mereka miliki. Pilihannya akan memperbarui semua elemen antarmuka pengguna, termasuk aset, temuan, dan kontrol setelan. Pengguna akan melihat hak istimewa yang melekat pada peran mereka dan apakah mereka dapat mengakses atau mengedit temuan pada cakupan mereka saat ini.

Security Command Center API dan Google Cloud CLI juga membatasi fungsi ke folder dan project yang ditentukan. Jika panggilan untuk mencantumkan atau mengelompokkan aset dan temuan dibuat oleh pengguna yang diberi peran folder atau project, hanya temuan atau aset pada cakupan tersebut yang akan ditampilkan.

Untuk aktivasi Security Command Center tingkat organisasi, panggilan untuk membuat atau memperbarui temuan dan menemukan notifikasi hanya mendukung cakupan organisasi. Anda memerlukan peran tingkat organisasi untuk melakukan tugas ini.

Untuk melihat jalur serangan yang dihasilkan oleh simulasi jalur serangan, izin yang sesuai harus diberikan di level organisasi dan tampilan Konsol Google Cloud harus ditetapkan ke organisasi.

Referensi bagi orang tua untuk temuan

Biasanya, temuan melekat pada resource, seperti virtual machine (VM) atau firewall. Security Command Center melampirkan temuan ke penampung yang paling cepat untuk resource yang menghasilkan temuan tersebut. Misalnya, jika VM menghasilkan temuan, temuan tersebut dilampirkan ke project yang berisi VM tersebut. Temuan yang tidak terhubung ke resource Google Cloud akan dilampirkan ke organisasi dan dapat dilihat oleh siapa saja yang memiliki izin Security Command Center tingkat organisasi.

Peran IAM di Security Command Center

Berikut adalah daftar peran IAM yang tersedia untuk Security Command Center beserta izin yang disertakan di dalamnya. Security Command Center mendukung pemberian peran ini di level organisasi, folder, atau project.

Role Permissions

(roles/securitycenter.admin)

Admin(super user) access to security center

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.*

  • assuredoss.config.get
  • assuredoss.customers.create
  • assuredoss.locations.get
  • assuredoss.locations.list
  • assuredoss.metadata.get
  • assuredoss.metadata.list
  • assuredoss.operations.cancel
  • assuredoss.operations.delete
  • assuredoss.operations.get
  • assuredoss.operations.list

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudsecurityscanner.*

  • cloudsecurityscanner.crawledurls.list
  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.create
  • cloudsecurityscanner.scans.delete
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
  • cloudsecurityscanner.scans.update

compute.addresses.list

iam.serviceAccountKeys.create

iam.serviceAccounts.create

iam.serviceAccounts.get

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.create

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.get

pubsub.topics.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.*

  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.assets.runDiscovery
  • securitycenter.assetsecuritymarks.update
  • securitycenter.attackpaths.list
  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update
  • securitycenter.compliancesnapshots.list
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.containerthreatdetectionsettings.update
  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.update
  • securitycenter.exposurepathexplan.get
  • securitycenter.findingexplanations.get
  • securitycenter.findingexternalsystems.update
  • securitycenter.findings.bulkMuteUpdate
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.findings.setMute
  • securitycenter.findings.setState
  • securitycenter.findings.setWorkflowState
  • securitycenter.findings.update
  • securitycenter.findingsecuritymarks.update
  • securitycenter.integratedvulnerabilityscannersettings.calculate
  • securitycenter.integratedvulnerabilityscannersettings.get
  • securitycenter.integratedvulnerabilityscannersettings.update
  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update
  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update
  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update
  • securitycenter.rapidvulnerabilitydetectionsettings.calculate
  • securitycenter.rapidvulnerabilitydetectionsettings.get
  • securitycenter.rapidvulnerabilitydetectionsettings.update
  • securitycenter.resourcevalueconfigs.create
  • securitycenter.resourcevalueconfigs.delete
  • securitycenter.resourcevalueconfigs.get
  • securitycenter.resourcevalueconfigs.list
  • securitycenter.resourcevalueconfigs.update
  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update
  • securitycenter.securityhealthanalyticscustommodules.create
  • securitycenter.securityhealthanalyticscustommodules.delete
  • securitycenter.securityhealthanalyticscustommodules.get
  • securitycenter.securityhealthanalyticscustommodules.list
  • securitycenter.securityhealthanalyticscustommodules.simulate
  • securitycenter.securityhealthanalyticscustommodules.test
  • securitycenter.securityhealthanalyticscustommodules.update
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update
  • securitycenter.simulations.get
  • securitycenter.sources.get
  • securitycenter.sources.getIamPolicy
  • securitycenter.sources.list
  • securitycenter.sources.setIamPolicy
  • securitycenter.sources.update
  • securitycenter.subscription.get
  • securitycenter.userinterfacemetadata.get
  • securitycenter.valuedresources.list
  • securitycenter.virtualmachinethreatdetectionsettings.calculate
  • securitycenter.virtualmachinethreatdetectionsettings.get
  • securitycenter.virtualmachinethreatdetectionsettings.update
  • securitycenter.vulnerabilitysnapshots.list
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • securitycenter.websecurityscannersettings.update

securitycentermanagement.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

serviceusage.quotas.get

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

(roles/securitycenter.adminEditor)

Admin Read-write access to security center

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.config.get

assuredoss.locations.*

  • assuredoss.locations.get
  • assuredoss.locations.list

assuredoss.metadata.*

  • assuredoss.metadata.get
  • assuredoss.metadata.list

assuredoss.operations.get

assuredoss.operations.list

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudsecurityscanner.*

  • cloudsecurityscanner.crawledurls.list
  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.create
  • cloudsecurityscanner.scans.delete
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
  • cloudsecurityscanner.scans.update

compute.addresses.list

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.get

pubsub.topics.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.assets.*

  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.assets.runDiscovery

securitycenter.assetsecuritymarks.update

securitycenter.attackpaths.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

securitycenter.compliancesnapshots.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.exposurepathexplan.get

securitycenter.findingexplanations.get

securitycenter.findingexternalsystems.update

securitycenter.findings.*

  • securitycenter.findings.bulkMuteUpdate
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.findings.setMute
  • securitycenter.findings.setState
  • securitycenter.findings.setWorkflowState
  • securitycenter.findings.update

securitycenter.findingsecuritymarks.update

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.resourcevalueconfigs.*

  • securitycenter.resourcevalueconfigs.create
  • securitycenter.resourcevalueconfigs.delete
  • securitycenter.resourcevalueconfigs.get
  • securitycenter.resourcevalueconfigs.list
  • securitycenter.resourcevalueconfigs.update

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.simulate

securitycenter.securityhealthanalyticscustommodules.test

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.simulations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.sources.update

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.valuedresources.list

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.vulnerabilitysnapshots.list

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.generateServiceAccounts

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityCommandCenter.update

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/securitycenter.adminViewer)

Admin Read access to security center

Lowest-level resources where you can grant this role:

  • Project

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.config.get

assuredoss.locations.*

  • assuredoss.locations.get
  • assuredoss.locations.list

assuredoss.metadata.*

  • assuredoss.metadata.get
  • assuredoss.metadata.list

assuredoss.operations.get

assuredoss.operations.list

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.*

  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.getSummary

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.get

pubsub.topics.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.assets.group

securitycenter.assets.list

securitycenter.assets.listAssetPropertyNames

securitycenter.attackpaths.list

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

securitycenter.compliancesnapshots.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.exposurepathexplan.get

securitycenter.findingexplanations.get

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.resourcevalueconfigs.get

securitycenter.resourcevalueconfigs.list

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.simulate

securitycenter.securityhealthanalyticscustommodules.test

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.simulations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.valuedresources.list

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.vulnerabilitysnapshots.list

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/securitycenter.assetSecurityMarksWriter)

Write access to asset security marks

Lowest-level resources where you can grant this role:

  • Project

securitycenter.assetsecuritymarks.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.assetsDiscoveryRunner)

Run asset discovery access to assets

Lowest-level resources where you can grant this role:

  • Organization

securitycenter.assets.runDiscovery

securitycenter.userinterfacemetadata.get

(roles/securitycenter.assetsViewer)

Read access to assets

Lowest-level resources where you can grant this role:

  • Project

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

securitycenter.assets.group

securitycenter.assets.list

securitycenter.assets.listAssetPropertyNames

securitycenter.userinterfacemetadata.get

(roles/securitycenter.attackPathsViewer)

Read access to security center attack paths

securitycenter.attackpaths.list

(roles/securitycenter.bigQueryExportsEditor)

Read-Write access to security center BigQuery Exports

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

(roles/securitycenter.bigQueryExportsViewer)

Read access to security center BigQuery Exports

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

(roles/securitycenter.complianceSnapshotsViewer)

Read access to security center compliance snapshots

securitycenter.compliancesnapshots.list

(roles/securitycenter.externalSystemsEditor)

Write access to security center external systems

securitycenter.findingexternalsystems.update

(roles/securitycenter.findingSecurityMarksWriter)

Write access to finding security marks

Lowest-level resources where you can grant this role:

  • Project

securitycenter.findingsecuritymarks.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.findingsBulkMuteEditor)

Ability to mute findings in bulk

securitycenter.findings.bulkMuteUpdate

(roles/securitycenter.findingsEditor)

Read-write access to findings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

securitycenter.compliancesnapshots.list

securitycenter.findingexplanations.get

securitycenter.findings.bulkMuteUpdate

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.findings.setMute

securitycenter.findings.setState

securitycenter.findings.update

securitycenter.sources.get

securitycenter.sources.list

securitycenter.userinterfacemetadata.get

securitycenter.vulnerabilitysnapshots.list

(roles/securitycenter.findingsMuteSetter)

Set mute access to findings

securitycenter.findings.setMute

(roles/securitycenter.findingsStateSetter)

Set state access to findings

Lowest-level resources where you can grant this role:

  • Project

securitycenter.findings.setState

securitycenter.userinterfacemetadata.get

(roles/securitycenter.findingsViewer)

Read access to findings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

securitycenter.compliancesnapshots.list

securitycenter.findingexplanations.get

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.sources.get

securitycenter.sources.list

securitycenter.userinterfacemetadata.get

securitycenter.vulnerabilitysnapshots.list

(roles/securitycenter.findingsWorkflowStateSetter)

Set workflow state access to findings

Lowest-level resources where you can grant this role:

  • Project

securitycenter.findings.setWorkflowState

securitycenter.userinterfacemetadata.get

(roles/securitycenter.muteConfigsEditor)

Read-Write access to security center mute configurations

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

(roles/securitycenter.muteConfigsViewer)

Read access to security center mute configurations

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

(roles/securitycenter.notificationConfigEditor)

Write access to notification configurations

Lowest-level resources where you can grant this role:

  • Organization

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.notificationConfigViewer)

Read access to notification configurations

Lowest-level resources where you can grant this role:

  • Organization

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.userinterfacemetadata.get

(roles/securitycenter.resourceValueConfigsEditor)

Read-Write access to security center resource value configurations

resourcemanager.tagValues.get

securitycenter.resourcevalueconfigs.*

  • securitycenter.resourcevalueconfigs.create
  • securitycenter.resourcevalueconfigs.delete
  • securitycenter.resourcevalueconfigs.get
  • securitycenter.resourcevalueconfigs.list
  • securitycenter.resourcevalueconfigs.update

(roles/securitycenter.resourceValueConfigsViewer)

Read access to security center resource value configurations

resourcemanager.tagValues.get

securitycenter.resourcevalueconfigs.get

securitycenter.resourcevalueconfigs.list

(roles/securitycenter.securityHealthAnalyticsCustomModulesTester)

Test access to Security Health Analytics Custom Modules

securitycenter.securityhealthanalyticscustommodules.simulate

securitycenter.securityhealthanalyticscustommodules.test

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycenter.settingsAdmin)

Admin(super user) access to security center settings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

securitycenter.containerthreatdetectionsettings.*

  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.containerthreatdetectionsettings.update

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.*

  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.update

securitycenter.integratedvulnerabilityscannersettings.*

  • securitycenter.integratedvulnerabilityscannersettings.calculate
  • securitycenter.integratedvulnerabilityscannersettings.get
  • securitycenter.integratedvulnerabilityscannersettings.update

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.organizationsettings.*

  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update

securitycenter.rapidvulnerabilitydetectionsettings.*

  • securitycenter.rapidvulnerabilitydetectionsettings.calculate
  • securitycenter.rapidvulnerabilitydetectionsettings.get
  • securitycenter.rapidvulnerabilitydetectionsettings.update

securitycenter.securitycentersettings.*

  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update

securitycenter.securityhealthanalyticscustommodules.create

securitycenter.securityhealthanalyticscustommodules.delete

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.update

securitycenter.securityhealthanalyticssettings.*

  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.*

  • securitycenter.virtualmachinethreatdetectionsettings.calculate
  • securitycenter.virtualmachinethreatdetectionsettings.get
  • securitycenter.virtualmachinethreatdetectionsettings.update

securitycenter.websecurityscannersettings.*

  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • securitycenter.websecurityscannersettings.update

securitycentermanagement.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycenter.settingsEditor)

Read-Write access to security center settings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

securitycenter.containerthreatdetectionsettings.*

  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.containerthreatdetectionsettings.update

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.*

  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.update

securitycenter.integratedvulnerabilityscannersettings.*

  • securitycenter.integratedvulnerabilityscannersettings.calculate
  • securitycenter.integratedvulnerabilityscannersettings.get
  • securitycenter.integratedvulnerabilityscannersettings.update

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.organizationsettings.*

  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update

securitycenter.rapidvulnerabilitydetectionsettings.*

  • securitycenter.rapidvulnerabilitydetectionsettings.calculate
  • securitycenter.rapidvulnerabilitydetectionsettings.get
  • securitycenter.rapidvulnerabilitydetectionsettings.update

securitycenter.securitycentersettings.*

  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update

securitycenter.securityhealthanalyticscustommodules.create

securitycenter.securityhealthanalyticscustommodules.delete

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.update

securitycenter.securityhealthanalyticssettings.*

  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.*

  • securitycenter.virtualmachinethreatdetectionsettings.calculate
  • securitycenter.virtualmachinethreatdetectionsettings.get
  • securitycenter.virtualmachinethreatdetectionsettings.update

securitycenter.websecurityscannersettings.*

  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • securitycenter.websecurityscannersettings.update

securitycentermanagement.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycenter.settingsViewer)

Read access to security center settings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycenter.simulationsViewer)

Read access to security center simulations

securitycenter.simulations.get

(roles/securitycenter.sourcesAdmin)

Admin access to sources

Lowest-level resources where you can grant this role:

  • Organization

resourcemanager.organizations.get

securitycenter.sources.*

  • securitycenter.sources.get
  • securitycenter.sources.getIamPolicy
  • securitycenter.sources.list
  • securitycenter.sources.setIamPolicy
  • securitycenter.sources.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.sourcesEditor)

Read-write access to sources

Lowest-level resources where you can grant this role:

  • Organization

resourcemanager.organizations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.sources.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.sourcesViewer)

Read access to sources

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.organizations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.userinterfacemetadata.get

(roles/securitycenter.valuedResourcesViewer)

Read access to security center valued resources

securitycenter.valuedresources.list

Peran IAM dalam layanan postur keamanan

Berikut adalah daftar peran dan izin IAM yang tersedia untuk fitur layanan dan infrastruktur postur keamanan sebagai validasi kode. Anda dapat memberikan peran ini di tingkat organisasi, folder, atau project. Perhatikan bahwa peran Security Posture Admin hanya tersedia di tingkat organisasi.

Peran Izin

(roles/securityposture.admin)

Akses penuh ke Security Posture Service API.

orgpolicy.*

  • orgpolicy.constraints.list
  • orgpolicy.customConstraints.create
  • orgpolicy.customConstraints.delete
  • orgpolicy.customConstraints.get
  • orgpolicy.customConstraints.list
  • orgpolicy.customConstraints.update
  • orgpolicy.policies.create
  • orgpolicy.policies.delete
  • orgpolicy.policies.list
  • orgpolicy.policies.update
  • orgpolicy.policy.get
  • orgpolicy.policy.set

resourcemanager.organizations.get

securitycenter.securityhealthanalyticssettings.*

  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.update

securityposture.*

  • securityposture.locations.get
  • securityposture.locations.list
  • securityposture.operations.delete
  • securityposture.operations.get
  • securityposture.operations.list
  • securityposture.postureDeployments.create
  • securityposture.postureDeployments.delete
  • securityposture.postureDeployments.get
  • securityposture.postureDeployments.list
  • securityposture.postureDeployments.update
  • securityposture.postureTemplates.get
  • securityposture.postureTemplates.list
  • securityposture.postures.create
  • securityposture.postures.delete
  • securityposture.postures.extract
  • securityposture.postures.get
  • securityposture.postures.list
  • securityposture.postures.update
  • securityposture.reports.create
  • securityposture.reports.get
  • securityposture.reports.list

(roles/securityposture.postureEditor)

Mutasi dan baca izin ke resource Postur.

securityposture.operations.get

securityposture.postures.*

  • securityposture.postures.create
  • securityposture.postures.delete
  • securityposture.postures.extract
  • securityposture.postures.get
  • securityposture.postures.list
  • securityposture.postures.update

(roles/securityposture.postureDeployer)

Mutasi dan baca izin ke resource Posture Deployment.

orgpolicy.*

  • orgpolicy.constraints.list
  • orgpolicy.customConstraints.create
  • orgpolicy.customConstraints.delete
  • orgpolicy.customConstraints.get
  • orgpolicy.customConstraints.list
  • orgpolicy.customConstraints.update
  • orgpolicy.policies.create
  • orgpolicy.policies.delete
  • orgpolicy.policies.list
  • orgpolicy.policies.update
  • orgpolicy.policy.get
  • orgpolicy.policy.set

resourcemanager.organizations.get

securitycenter.securityhealthanalyticssettings.*

  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.update

securityposture.operations.get

securityposture.postureDeployments.*

  • securityposture.postureDeployments.create
  • securityposture.postureDeployments.delete
  • securityposture.postureDeployments.get
  • securityposture.postureDeployments.list
  • securityposture.postureDeployments.update

(roles/securityposture.postureViewer)

Akses hanya baca ke resource Posture.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postures.get

securityposture.postures.list

(roles/securityposture.postureDeploymentsViewer)

Akses hanya baca ke resource Posture Deployment.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postureDeployments.get

securityposture.postureDeployments.list

(roles/securityposture.reportCreator)

Buat akses untuk Laporan, misalnya Laporan Validasi IaC.

securityposture.operations.get

securityposture.reports.*

  • securityposture.reports.create
  • securityposture.reports.get
  • securityposture.reports.list

(roles/securityposture.viewer)

Akses hanya baca ke semua resource SecurityPosture Service.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postureDeployments.get

securityposture.postureDeployments.list

securityposture.postureTemplates.*

  • securityposture.postureTemplates.get
  • securityposture.postureTemplates.list

securityposture.postures.get

securityposture.postures.list

Peran agen layanan

Agen layanan adalah akun layanan yang dikelola Google yang memungkinkan layanan mengakses resource Anda.

Saat mengaktifkan Security Command Center, dua agen layanan akan dibuat untuk Anda:

  • service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com.

    Agen layanan ini memerlukan peran IAM roles/securitycenter.serviceAgent.

  • service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com.

    Agen layanan ini memerlukan peran IAM roles/containerthreatdetection.serviceAgent.

Selama proses aktivasi Security Command Center, Anda akan diminta untuk memberikan satu atau beberapa peran IAM yang diperlukan kepada setiap agen layanan. Pemberian peran ke setiap agen layanan diperlukan agar Security Command Center dapat berfungsi.

Untuk melihat izin setiap peran, lihat hal berikut:

Untuk memberikan peran, Anda harus memiliki peran roles/resourcemanager.organizationAdmin.

Jika Anda tidak memiliki peran roles/resourcemanager.organizationAdmin, administrator organisasi Anda dapat memberikan peran kepada agen layanan menggunakan perintah gcloud CLI berikut:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
    --member="SERVICE_AGENT_NAME" \
    --role="IAM_ROLE"

Ganti kode berikut:

  • ORGANIZATION_ID: ID organisasi Anda
  • SERVICE_AGENT_NAME: nama agen layanan yang Anda berikan peran. Nama tersebut adalah salah satu nama agen layanan berikut:
    • service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com
    • service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
  • IAM_ROLE: peran yang diperlukan berikut yang sesuai dengan agen layanan yang ditentukan:
    • roles/securitycenter.serviceAgent
    • roles/containerthreatdetection.serviceAgent

Untuk mengetahui informasi selengkapnya tentang peran IAM, baca artikel memahami peran.

Web Security Scanner

Peran IAM menentukan cara Anda dapat menggunakan Web Security Scanner. Tabel di bawah ini mencakup setiap peran IAM yang tersedia untuk Web Security Scanner dan metode yang tersedia untuk peran tersebut. Berikan peran ini di level project. Untuk memberi pengguna kemampuan membuat dan mengelola pemindaian keamanan, Anda perlu menambahkan pengguna ke project dan memberi mereka izin menggunakan peran tersebut.

Web Security Scanner mendukung peran dasar dan peran standar yang memberikan akses yang lebih terperinci ke resource Web Security Scanner.

Peran IAM dasar

Berikut ini penjelasan tentang izin Web Security Scanner yang diberikan berdasarkan peran dasar.

Peran Deskripsi
Pemilik Akses penuh ke semua resource Web Security Scanner
Editor Akses penuh ke semua resource Web Security Scanner
Pengakses lihat saja Tidak ada akses ke Web Security Scanner

Peran IAM yang telah ditetapkan

Berikut ini penjelasan tentang izin Web Security Scanner yang diberikan oleh peran Web Security Scanner.

Role Permissions

(roles/cloudsecurityscanner.editor)

Full access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

cloudsecurityscanner.*

  • cloudsecurityscanner.crawledurls.list
  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.create
  • cloudsecurityscanner.scans.delete
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
  • cloudsecurityscanner.scans.update

compute.addresses.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/cloudsecurityscanner.runner)

Read access to Scan and ScanRun, plus the ability to start scans

Lowest-level resources where you can grant this role:

  • Project

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scanruns.stop

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

cloudsecurityscanner.scans.run

(roles/cloudsecurityscanner.viewer)

Read access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

  • Project

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.*

  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.getSummary

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Untuk mengetahui informasi selengkapnya tentang peran IAM, baca artikel memahami peran.