En esta página, se describe cómo usar Identity and Access Management (IAM) para controlar el acceso a los recursos en una activación a nivel de la organización de Security Command Center .
Esta página es relevante para ti si se cumple alguna de las siguientes condiciones:
Security Command Center se activa a nivel de la organización y no a nivel del proyecto.
La versión estándar de Security Command Center ya está activada a nivel de la organización.
Además, tienes activado Security Command Center Premium en uno o más proyectos.
Si activaste Security Command Center a nivel del proyecto y no a nivel de la organización, consulta IAM para activaciones a nivel del proyecto .
En una activación de Security Command Center a nivel de la organización, puedes controlar el acceso a los recursos en diferentes niveles de la jerarquía de recursos. Security Command Center usa roles de IAM para permitirte controlar quién puede hacer qué con los recursos, los hallazgos y las fuentes de seguridad de tu entorno de Security Command Center. Las funciones se otorgan a personas y aplicaciones, y cada una proporciona permisos específicos.
Permisos
Para configurar Security Command Center o cambiar la configuración de tu organización, necesitas las siguientes dos funciones a nivel de la organización :
Administrador de la organización (roles/resourcemanager.organizationAdmin
)
Administrador del centro de seguridad (roles/securitycenter.admin
)
Si un usuario no requiere permisos de edición, considera otorgarle funciones de visualizador.
Para ver todos los recursos, resultados y las rutas de ataque en Security Command Center, los usuarios necesitan el rol de Visualizador administrador del centro de seguridad (roles/securitycenter.adminViewer
) a nivel de la organización.
Para ver la configuración, los usuarios necesitan el rol de administrador del centro de seguridad (roles/securitycenter.admin
) a nivel de la organización.
Para restringir el acceso a las carpetas y los proyectos individuales, no otorgues todas las funciones a nivel de la organización. En su lugar, otorga las siguientes funciones a nivel de carpeta o proyecto :
Visualizador de recursos del centro de seguridad (roles/securitycenter.assetsViewer
)
Visualizador de hallazgos del centro de seguridad (roles/securitycenter.findingsViewer
)
Funciones a nivel de la organización
Cuando las funciones de IAM se aplican a nivel de la organización, los proyectos y las carpetas de esa organización heredan sus vinculaciones de roles .
En la siguiente figura, se ilustra una jerarquía de recursos típica de Security Command Center con las funciones otorgadas a nivel de organización.
Security Command Center Resource y funciones a nivel de la organización (haz clic para ampliar)
Las funciones de IAM incluyen permisos para ver, editar, actualizar, crear o borrar recursos. Las funciones otorgadas a nivel de organización en Security Command Center te permiten realizar acciones prescritas en resultados, elementos y fuentes de seguridad en tu organización. Por ejemplo, un usuario con la función Editor de hallazgos del centro de seguridad (roles/securitycenter.findingsEditor
) puede ver o editar los resultados adjuntos a cualquier recurso en cualquier proyecto o carpeta de tu organización.
Con esta estructura, no tienes que otorgar funciones de usuarios en cada carpeta o proyecto.
Si deseas obtener instrucciones para administrar funciones y permisos, consulta Administra accesos a proyectos, carpetas y organizaciones .
Las funciones a nivel de organización no son adecuadas para todos los casos de uso, en especial para aplicaciones sensibles o estándares de cumplimiento que requieren controles de acceso estrictos. Para crear políticas de acceso detalladas, puedes otorgar roles a nivel de carpeta y de proyecto.
Funciones a nivel de carpeta y de proyecto
Security Command Center te permite otorgar funciones de IAM de Security Command Center para carpetas y proyectos específicos, lo que crea varias vistas o entornos aislados dentro de la organización. Otorgas a usuarios y grupos diferentes permisos de acceso y edición a carpetas y proyectos en toda tu organización.
En el siguiente video, se describe cómo otorgar roles a nivel de carpeta y de proyecto, y cómo administrarlos en la consola de Security Command Center.
VIDEO
Con las funciones de carpeta y proyecto, los usuarios con funciones de Security Command Center pueden administrar recursos y resultados dentro de proyectos o carpetas designados. Por ejemplo, se puede otorgar acceso limitado a un ingeniero de seguridad para que seleccione carpetas y proyectos, mientras que un administrador de seguridad puede administrar todos los recursos a nivel de la organización.
Las funciones de carpeta y proyecto permiten que se apliquen los permisos de Security Command Center en los niveles inferiores de la jerarquía de recursos de la organización, pero no la cambian. En la siguiente figura, se ilustra a un usuario con permisos de Security Command Center para acceder a los resultados de un proyecto específico.
Funciones de jerarquía de recursos de Security Command Center y a nivel de proyecto: no se puede acceder a los elementos con guiones (haz clic para ampliar)
Los usuarios con funciones de carpetas y proyectos ven un subconjunto de los recursos de una organización.
Todas las acciones que realizan se limitan al mismo permiso. Por ejemplo, si un usuario tiene permisos para una carpeta, puede acceder a los recursos en cualquier proyecto en la carpeta. Los permisos de un proyecto permiten a los usuarios acceder a los recursos de ese proyecto.
Si deseas obtener instrucciones para administrar funciones y permisos, consulta Administra accesos a proyectos, carpetas y organizaciones .
Restricciones de funciones
Cuando se otorgan roles de Security Command Center a nivel de carpeta o de proyecto, los administradores de Security Command Center pueden hacer lo siguiente:
Limitar la vista o los permisos de edición de Security Command Center a carpetas y proyectos específicos
Otorgar permisos de lectura y edición a grupos de elementos o hallazgos para equipos o usuarios específicos.
Restringir la capacidad de ver o editar los detalles de los resultados, incluidas las actualizaciones de las marcas de seguridad y el estado de los resultados, a personas o grupos con acceso al resultado subyacente
Controlar el acceso a la configuración de Security Command Center, que solo pueden ver las personas con funciones a nivel de la organización
Funciones de Security Command Center
Las funciones de Security Command Center también están restringidas según los permisos de lectura y edición.
En la consola de Google Cloud, Security Command Center permite que las personas sin permisos a nivel de la organización elijan solo los recursos a los que pueden acceder. Su selección actualiza todos los elementos de la interfaz de usuario, incluidos los recursos, resultados y controles de configuración. Los usuarios ven los privilegios adjuntos a sus roles y si pueden acceder o editar los resultados en su permiso actual.
La API de Security Command Center y Google Cloud CLI también restringen las funciones a los proyectos y las carpetas prescritos. Si las llamadas para enumerar o agrupar los elementos y resultados provienen de usuarios con funciones de carpeta o proyecto, solo se muestran los hallazgos o recursos en esos permisos.
En el caso de las activaciones de Security Command Center a nivel de la organización, las llamadas para crear o actualizar los hallazgos y buscar notificaciones solo admiten el permiso de la organización.
Necesitas roles a nivel de la organización para realizar estas tareas.
Para ver las trayectorias de ataque que generan las simulaciones de trayectorias de ataque, se deben otorgar los permisos correspondientes a nivel de la organización y se debe configurar la vista de la consola de Google Cloud en la organización.
Recursos superiores para hallazgos
Por lo general, los resultados se adjuntan a un recurso, como una máquina virtual (VM) o un firewall. Security Command Center adjunta los hallazgos al contenedor más inmediato para el recurso que los generó. Por ejemplo, si una VM genera un resultado, este se adjunta al proyecto que contiene la VM. Los hallazgos que no están conectados a un recurso de Google Cloud están conectados a la organización y son visibles para cualquier persona que tenga permisos de Security Command Center a nivel de la organización.
Funciones de IAM en Security Command Center
A continuación, se muestra una lista de las funciones de IAM disponibles para Security Command Center y los permisos incluidos en ellas. Security Command Center admite la asignación de estas funciones a nivel de organización, carpeta o proyecto.
Role
Permissions
Security Center Admin
(roles/securitycenter.admin
)
Admin(super user) access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry.attachments.get
artifactregistry.attachments.list
artifactregistry.dockerimages.*
artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.*
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.*
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.*
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.create
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.*
assuredoss.config.get
assuredoss.customers.create
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list
cloudasset.assets.exportIamPolicy
cloudasset.assets.exportOSInventories
cloudasset.assets.exportResource
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
cloudasset.assets.searchEnrichmentResourceOwners
cloudsecurityscanner.*
cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.results.get
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.create
cloudsecurityscanner.scans.delete
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run
cloudsecurityscanner.scans.update
compute.addresses.list
iam.serviceAccountKeys.create
iam.serviceAccounts.create
iam.serviceAccounts.get
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.create
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.*
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.assets.runDiscovery
securitycenter.assetsecuritymarks.update
securitycenter.attackpaths.list
securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
securitycenter.billingtier.update
securitycenter.complianceReports.aggregate
securitycenter.compliancesnapshots.list
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.containerthreatdetectionsettings.update
securitycenter.effectivesecurityhealthanalyticscustommodules.get
securitycenter.effectivesecurityhealthanalyticscustommodules.list
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.eventthreatdetectionsettings.update
securitycenter.exposurepathexplan.get
securitycenter.findingexplanations.get
securitycenter.findingexternalsystems.update
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.setMute
securitycenter.findings.setState
securitycenter.findings.setWorkflowState
securitycenter.findings.update
securitycenter.findingsecuritymarks.update
securitycenter.integratedvulnerabilityscannersettings.calculate
securitycenter.integratedvulnerabilityscannersettings.get
securitycenter.integratedvulnerabilityscannersettings.update
securitycenter.muteconfigs.create
securitycenter.muteconfigs.delete
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.muteconfigs.update
securitycenter.notificationconfig.create
securitycenter.notificationconfig.delete
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.notificationconfig.update
securitycenter.organizationsettings.get
securitycenter.organizationsettings.update
securitycenter.rapidvulnerabilitydetectionsettings.calculate
securitycenter.rapidvulnerabilitydetectionsettings.get
securitycenter.rapidvulnerabilitydetectionsettings.update
securitycenter.resourcevalueconfigs.create
securitycenter.resourcevalueconfigs.delete
securitycenter.resourcevalueconfigs.get
securitycenter.resourcevalueconfigs.list
securitycenter.resourcevalueconfigs.update
securitycenter.securitycentersettings.get
securitycenter.securitycentersettings.update
securitycenter.securityhealthanalyticscustommodules.create
securitycenter.securityhealthanalyticscustommodules.delete
securitycenter.securityhealthanalyticscustommodules.get
securitycenter.securityhealthanalyticscustommodules.list
securitycenter.securityhealthanalyticscustommodules.simulate
securitycenter.securityhealthanalyticscustommodules.test
securitycenter.securityhealthanalyticscustommodules.update
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.securityhealthanalyticssettings.update
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.getIamPolicy
securitycenter.sources.list
securitycenter.sources.setIamPolicy
securitycenter.sources.update
securitycenter.subscription.get
securitycenter.userinterfacemetadata.get
securitycenter.valuedresources.list
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.virtualmachinethreatdetectionsettings.update
securitycenter.vulnerabilitysnapshots.list
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
securitycenter.websecurityscannersettings.update
securitycentermanagement.*
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCenterServices.update
securitycentermanagement.securityCommandCenter.activate
securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility
securitycentermanagement.securityCommandCenter.checkOnboardingStatus
securitycentermanagement.securityCommandCenter.generateServiceAccounts
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityCommandCenter.update
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Security Center Admin Editor
(roles/securitycenter.adminEditor
)
Admin Read-write access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry.attachments.get
artifactregistry.attachments.list
artifactregistry.dockerimages.*
artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.*
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.*
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.*
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.*
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list
cloudasset.assets.exportIamPolicy
cloudasset.assets.exportOSInventories
cloudasset.assets.exportResource
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
cloudasset.assets.searchEnrichmentResourceOwners
cloudsecurityscanner.*
cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.results.get
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.create
cloudsecurityscanner.scans.delete
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run
cloudsecurityscanner.scans.update
compute.addresses.list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.*
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.assets.runDiscovery
securitycenter.assetsecuritymarks.update
securitycenter.attackpaths.list
securitycenter.bigQueryExports.*
securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
securitycenter.complianceReports.aggregate
securitycenter.compliancesnapshots.list
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.effectivesecurityhealthanalyticscustommodules.*
securitycenter.effectivesecurityhealthanalyticscustommodules.get
securitycenter.effectivesecurityhealthanalyticscustommodules.list
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.exposurepathexplan.get
securitycenter.findingexplanations.get
securitycenter.findingexternalsystems.update
securitycenter.findings.*
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.setMute
securitycenter.findings.setState
securitycenter.findings.setWorkflowState
securitycenter.findings.update
securitycenter.findingsecuritymarks.update
securitycenter.integratedvulnerabilityscannersettings.calculate
securitycenter.integratedvulnerabilityscannersettings.get
securitycenter.muteconfigs.*
securitycenter.muteconfigs.create
securitycenter.muteconfigs.delete
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.muteconfigs.update
securitycenter.notificationconfig.*
securitycenter.notificationconfig.create
securitycenter.notificationconfig.delete
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.notificationconfig.update
securitycenter.organizationsettings.get
securitycenter.rapidvulnerabilitydetectionsettings.calculate
securitycenter.rapidvulnerabilitydetectionsettings.get
securitycenter.resourcevalueconfigs.*
securitycenter.resourcevalueconfigs.create
securitycenter.resourcevalueconfigs.delete
securitycenter.resourcevalueconfigs.get
securitycenter.resourcevalueconfigs.list
securitycenter.resourcevalueconfigs.update
securitycenter.securitycentersettings.get
securitycenter.securityhealthanalyticscustommodules.get
securitycenter.securityhealthanalyticscustommodules.list
securitycenter.securityhealthanalyticscustommodules.simulate
securitycenter.securityhealthanalyticscustommodules.test
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter.subscription.get
securitycenter.userinterfacemetadata.get
securitycenter.valuedresources.list
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.vulnerabilitysnapshots.list
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.*
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.*
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.generateServiceAccounts
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityCommandCenter.update
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Admin Viewer
(roles/securitycenter.adminViewer
)
Admin Read access to security center
Lowest-level resources where you can grant this role:
artifactregistry.attachments.get
artifactregistry.attachments.list
artifactregistry.dockerimages.*
artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.*
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.*
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.pythonpackages.*
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.*
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list
cloudasset.assets.exportIamPolicy
cloudasset.assets.exportOSInventories
cloudasset.assets.exportResource
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
cloudasset.assets.searchEnrichmentResourceOwners
cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.results.*
cloudsecurityscanner.results.get
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.attackpaths.list
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.complianceReports.aggregate
securitycenter.compliancesnapshots.list
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.effectivesecurityhealthanalyticscustommodules.*
securitycenter.effectivesecurityhealthanalyticscustommodules.get
securitycenter.effectivesecurityhealthanalyticscustommodules.list
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.exposurepathexplan.get
securitycenter.findingexplanations.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.integratedvulnerabilityscannersettings.calculate
securitycenter.integratedvulnerabilityscannersettings.get
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.organizationsettings.get
securitycenter.rapidvulnerabilitydetectionsettings.calculate
securitycenter.rapidvulnerabilitydetectionsettings.get
securitycenter.resourcevalueconfigs.get
securitycenter.resourcevalueconfigs.list
securitycenter.securitycentersettings.get
securitycenter.securityhealthanalyticscustommodules.get
securitycenter.securityhealthanalyticscustommodules.list
securitycenter.securityhealthanalyticscustommodules.simulate
securitycenter.securityhealthanalyticscustommodules.test
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.subscription.get
securitycenter.userinterfacemetadata.get
securitycenter.valuedresources.list
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.vulnerabilitysnapshots.list
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.*
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.*
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Asset Security Marks Writer
(roles/securitycenter.assetSecurityMarksWriter
)
Write access to asset security marks
Lowest-level resources where you can grant this role:
securitycenter.assetsecuritymarks.update
securitycenter.userinterfacemetadata.get
Security Center Assets Discovery Runner
(roles/securitycenter.assetsDiscoveryRunner
)
Run asset discovery access to assets
Lowest-level resources where you can grant this role:
securitycenter.assets.runDiscovery
securitycenter.userinterfacemetadata.get
Security Center Assets Viewer
(roles/securitycenter.assetsViewer
)
Read access to assets
Lowest-level resources where you can grant this role:
cloudasset.assets.exportIamPolicy
cloudasset.assets.exportOSInventories
cloudasset.assets.exportResource
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
cloudasset.assets.searchEnrichmentResourceOwners
resourcemanager.folders.get
resourcemanager.organizations.get
resourcemanager.projects.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.userinterfacemetadata.get
Security Center Attack Paths Reader
(roles/securitycenter.attackPathsViewer
)
Read access to security center attack paths
securitycenter.attackpaths.list
securitycenter.exposurepathexplan.get
Security Center BigQuery Exports Editor
(roles/securitycenter.bigQueryExportsEditor
)
Read-Write access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.bigQueryExports.*
securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
Security Center BigQuery Exports Viewer
(roles/securitycenter.bigQueryExportsViewer
)
Read access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
Security Center Compliance Reports Viewer
Beta
(roles/securitycenter.complianceReportsViewer
)
Read access to security center compliance reports
securitycenter.complianceReports.aggregate
Security Center Compliance Snapshots Viewer
Beta
(roles/securitycenter.complianceSnapshotsViewer
)
Read access to security center compliance snapshots
securitycenter.complianceReports.aggregate
securitycenter.compliancesnapshots.list
Security Center External Systems Editor
(roles/securitycenter.externalSystemsEditor
)
Write access to security center external systems
securitycenter.findingexternalsystems.update
Security Center Finding Security Marks Writer
(roles/securitycenter.findingSecurityMarksWriter
)
Write access to finding security marks
Lowest-level resources where you can grant this role:
securitycenter.findingsecuritymarks.update
securitycenter.userinterfacemetadata.get
Security Center Findings Bulk Mute Editor
(roles/securitycenter.findingsBulkMuteEditor
)
Ability to mute findings in bulk
securitycenter.findings.bulkMuteUpdate
Security Center Findings Editor
(roles/securitycenter.findingsEditor
)
Read-write access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.organizations.get
resourcemanager.projects.get
securitycenter.complianceReports.aggregate
securitycenter.compliancesnapshots.list
securitycenter.findingexplanations.get
securitycenter.findings.bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.setMute
securitycenter.findings.setState
securitycenter.findings.update
securitycenter.sources.get
securitycenter.sources.list
securitycenter.userinterfacemetadata.get
securitycenter.vulnerabilitysnapshots.list
Security Center Findings Mute Setter
(roles/securitycenter.findingsMuteSetter
)
Set mute access to findings
securitycenter.findings.setMute
Security Center Findings State Setter
(roles/securitycenter.findingsStateSetter
)
Set state access to findings
Lowest-level resources where you can grant this role:
securitycenter.findings.setState
securitycenter.userinterfacemetadata.get
Security Center Findings Viewer
(roles/securitycenter.findingsViewer
)
Read access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.organizations.get
resourcemanager.projects.get
securitycenter.complianceReports.aggregate
securitycenter.compliancesnapshots.list
securitycenter.findingexplanations.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
securitycenter.userinterfacemetadata.get
securitycenter.vulnerabilitysnapshots.list
Security Center Findings Workflow State Setter
Beta
(roles/securitycenter.findingsWorkflowStateSetter
)
Set workflow state access to findings
Lowest-level resources where you can grant this role:
securitycenter.findings.setWorkflowState
securitycenter.userinterfacemetadata.get
Security Center Mute Configurations Editor
(roles/securitycenter.muteConfigsEditor
)
Read-Write access to security center mute configurations
securitycenter.muteconfigs.*
securitycenter.muteconfigs.create
securitycenter.muteconfigs.delete
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.muteconfigs.update
Security Center Mute Configurations Viewer
(roles/securitycenter.muteConfigsViewer
)
Read access to security center mute configurations
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
Security Center Notification Configurations Editor
(roles/securitycenter.notificationConfigEditor
)
Write access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter.notificationconfig.*
securitycenter.notificationconfig.create
securitycenter.notificationconfig.delete
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.notificationconfig.update
securitycenter.userinterfacemetadata.get
Security Center Notification Configurations Viewer
(roles/securitycenter.notificationConfigViewer
)
Read access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.userinterfacemetadata.get
Security Center Resource Value Configurations Editor
(roles/securitycenter.resourceValueConfigsEditor
)
Read-Write access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter.resourcevalueconfigs.*
securitycenter.resourcevalueconfigs.create
securitycenter.resourcevalueconfigs.delete
securitycenter.resourcevalueconfigs.get
securitycenter.resourcevalueconfigs.list
securitycenter.resourcevalueconfigs.update
Security Center Resource Value Configurations Viewer
(roles/securitycenter.resourceValueConfigsViewer
)
Read access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter.resourcevalueconfigs.get
securitycenter.resourcevalueconfigs.list
Security Health Analytics Custom Modules Tester
(roles/securitycenter.securityHealthAnalyticsCustomModulesTester
)
Test access to Security Health Analytics Custom Modules
securitycenter.securityhealthanalyticscustommodules.simulate
securitycenter.securityhealthanalyticscustommodules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
Security Center Settings Admin
(roles/securitycenter.settingsAdmin
)
Admin(super user) access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.bigQueryExports.*
securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
securitycenter.billingtier.update
securitycenter.containerthreatdetectionsettings.*
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.containerthreatdetectionsettings.update
securitycenter.effectivesecurityhealthanalyticscustommodules.*
securitycenter.effectivesecurityhealthanalyticscustommodules.get
securitycenter.effectivesecurityhealthanalyticscustommodules.list
securitycenter.eventthreatdetectionsettings.*
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.eventthreatdetectionsettings.update
securitycenter.integratedvulnerabilityscannersettings.*
securitycenter.integratedvulnerabilityscannersettings.calculate
securitycenter.integratedvulnerabilityscannersettings.get
securitycenter.integratedvulnerabilityscannersettings.update
securitycenter.muteconfigs.*
securitycenter.muteconfigs.create
securitycenter.muteconfigs.delete
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.muteconfigs.update
securitycenter.notificationconfig.*
securitycenter.notificationconfig.create
securitycenter.notificationconfig.delete
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.notificationconfig.update
securitycenter.organizationsettings.*
securitycenter.organizationsettings.get
securitycenter.organizationsettings.update
securitycenter.rapidvulnerabilitydetectionsettings.*
securitycenter.rapidvulnerabilitydetectionsettings.calculate
securitycenter.rapidvulnerabilitydetectionsettings.get
securitycenter.rapidvulnerabilitydetectionsettings.update
securitycenter.securitycentersettings.*
securitycenter.securitycentersettings.get
securitycenter.securitycentersettings.update
securitycenter.securityhealthanalyticscustommodules.create
securitycenter.securityhealthanalyticscustommodules.delete
securitycenter.securityhealthanalyticscustommodules.get
securitycenter.securityhealthanalyticscustommodules.list
securitycenter.securityhealthanalyticscustommodules.update
securitycenter.securityhealthanalyticssettings.*
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.securityhealthanalyticssettings.update
securitycenter.subscription.get
securitycenter.userinterfacemetadata.get
securitycenter.virtualmachinethreatdetectionsettings.*
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.virtualmachinethreatdetectionsettings.update
securitycenter.websecurityscannersettings.*
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
securitycenter.websecurityscannersettings.update
securitycentermanagement.*
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCenterServices.update
securitycentermanagement.securityCommandCenter.activate
securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility
securitycentermanagement.securityCommandCenter.checkOnboardingStatus
securitycentermanagement.securityCommandCenter.generateServiceAccounts
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityCommandCenter.update
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update
Security Center Settings Editor
(roles/securitycenter.settingsEditor
)
Read-Write access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.bigQueryExports.*
securitycenter.bigQueryExports.create
securitycenter.bigQueryExports.delete
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.bigQueryExports.update
securitycenter.billingtier.update
securitycenter.containerthreatdetectionsettings.*
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.containerthreatdetectionsettings.update
securitycenter.effectivesecurityhealthanalyticscustommodules.*
securitycenter.effectivesecurityhealthanalyticscustommodules.get
securitycenter.effectivesecurityhealthanalyticscustommodules.list
securitycenter.eventthreatdetectionsettings.*
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.eventthreatdetectionsettings.update
securitycenter.integratedvulnerabilityscannersettings.*
securitycenter.integratedvulnerabilityscannersettings.calculate
securitycenter.integratedvulnerabilityscannersettings.get
securitycenter.integratedvulnerabilityscannersettings.update
securitycenter.muteconfigs.*
securitycenter.muteconfigs.create
securitycenter.muteconfigs.delete
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.muteconfigs.update
securitycenter.notificationconfig.*
securitycenter.notificationconfig.create
securitycenter.notificationconfig.delete
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.notificationconfig.update
securitycenter.organizationsettings.*
securitycenter.organizationsettings.get
securitycenter.organizationsettings.update
securitycenter.rapidvulnerabilitydetectionsettings.*
securitycenter.rapidvulnerabilitydetectionsettings.calculate
securitycenter.rapidvulnerabilitydetectionsettings.get
securitycenter.rapidvulnerabilitydetectionsettings.update
securitycenter.securitycentersettings.*
securitycenter.securitycentersettings.get
securitycenter.securitycentersettings.update
securitycenter.securityhealthanalyticscustommodules.create
securitycenter.securityhealthanalyticscustommodules.delete
securitycenter.securityhealthanalyticscustommodules.get
securitycenter.securityhealthanalyticscustommodules.list
securitycenter.securityhealthanalyticscustommodules.update
securitycenter.securityhealthanalyticssettings.*
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.securityhealthanalyticssettings.update
securitycenter.subscription.get
securitycenter.userinterfacemetadata.get
securitycenter.virtualmachinethreatdetectionsettings.*
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.virtualmachinethreatdetectionsettings.update
securitycenter.websecurityscannersettings.*
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
securitycenter.websecurityscannersettings.update
securitycentermanagement.*
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCenterServices.update
securitycentermanagement.securityCommandCenter.activate
securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility
securitycentermanagement.securityCommandCenter.checkOnboardingStatus
securitycentermanagement.securityCommandCenter.generateServiceAccounts
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityCommandCenter.update
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update
Security Center Settings Viewer
(roles/securitycenter.settingsViewer
)
Read access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.bigQueryExports.get
securitycenter.bigQueryExports.list
securitycenter.containerthreatdetectionsettings.calculate
securitycenter.containerthreatdetectionsettings.get
securitycenter.effectivesecurityhealthanalyticscustommodules.*
securitycenter.effectivesecurityhealthanalyticscustommodules.get
securitycenter.effectivesecurityhealthanalyticscustommodules.list
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.integratedvulnerabilityscannersettings.calculate
securitycenter.integratedvulnerabilityscannersettings.get
securitycenter.muteconfigs.get
securitycenter.muteconfigs.list
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.organizationsettings.get
securitycenter.rapidvulnerabilitydetectionsettings.calculate
securitycenter.rapidvulnerabilitydetectionsettings.get
securitycenter.securitycentersettings.get
securitycenter.securityhealthanalyticscustommodules.get
securitycenter.securityhealthanalyticscustommodules.list
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.subscription.get
securitycenter.userinterfacemetadata.get
securitycenter.virtualmachinethreatdetectionsettings.calculate
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.websecurityscannersettings.calculate
securitycenter.websecurityscannersettings.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.*
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.*
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
Security Center Simulations Reader
(roles/securitycenter.simulationsViewer
)
Read access to security center simulations
securitycenter.simulations.get
Security Center Sources Admin
(roles/securitycenter.sourcesAdmin
)
Admin access to sources
Lowest-level resources where you can grant this role:
resourcemanager.organizations.get
securitycenter.sources.*
securitycenter.sources.get
securitycenter.sources.getIamPolicy
securitycenter.sources.list
securitycenter.sources.setIamPolicy
securitycenter.sources.update
securitycenter.userinterfacemetadata.get
Security Center Sources Editor
(roles/securitycenter.sourcesEditor
)
Read-write access to sources
Lowest-level resources where you can grant this role:
resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter.userinterfacemetadata.get
Security Center Sources Viewer
(roles/securitycenter.sourcesViewer
)
Read access to sources
Lowest-level resources where you can grant this role:
resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.userinterfacemetadata.get
Security Center Valued Resources Reader
(roles/securitycenter.valuedResourcesViewer
)
Read access to security center valued resources
securitycenter.valuedresources.list
Security Center Management Admin
(roles/securitycentermanagement.admin
)
Full access to manage Cloud Security Command Center services and custom modules configuration.
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.organizationsettings.*
securitycenter.organizationsettings.get
securitycenter.organizationsettings.update
securitycenter.securitycentersettings.*
securitycenter.securitycentersettings.get
securitycenter.securitycentersettings.update
securitycentermanagement.*
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCenterServices.update
securitycentermanagement.securityCommandCenter.activate
securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility
securitycentermanagement.securityCommandCenter.checkOnboardingStatus
securitycentermanagement.securityCommandCenter.generateServiceAccounts
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityCommandCenter.update
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update
Security Center Management Custom Modules Editor
(roles/securitycentermanagement.customModulesEditor
)
Full access to manage Cloud Security Command Center custom modules.
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.*
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.*
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.*
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.*
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update
Security Center Management Custom Modules Viewer
(roles/securitycentermanagement.customModulesViewer
)
Readonly access to Cloud Security Command Center custom modules.
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.*
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.*
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
Security Center Management Custom ETD Modules Editor
(roles/securitycentermanagement.etdCustomModulesEditor
)
Full access to manage Cloud Security Command Center ETD custom modules.
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.*
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.*
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.*
securitycentermanagement.locations.get
securitycentermanagement.locations.list
Security Center Management ETD Custom Modules Viewer
(roles/securitycentermanagement.etdCustomModulesViewer
)
Readonly access to Cloud Security Command Center ETD custom modules.
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveEventThreatDetectionCustomModules.*
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.*
securitycentermanagement.locations.get
securitycentermanagement.locations.list
Security Center Management Services Editor
(roles/securitycentermanagement.securityCenterServicesEditor
)
Full access to manage Cloud Security Command Center services configuration.
securitycentermanagement.securityCenterServices.*
securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCenterServices.update
Security Center Management Services Viewer
(roles/securitycentermanagement.securityCenterServicesViewer
)
Readonly access to Cloud Security Command Center services configuration.
securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
Security Center Management Settings Editor
(roles/securitycentermanagement.settingsEditor
)
Full access to manage Cloud Security Command Center settings
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.organizationsettings.*
securitycenter.organizationsettings.get
securitycenter.organizationsettings.update
securitycenter.securitycentersettings.*
securitycenter.securitycentersettings.get
securitycenter.securitycentersettings.update
securitycentermanagement.*
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.create
securitycentermanagement.eventThreatDetectionCustomModules.delete
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.update
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCenterServices.update
securitycentermanagement.securityCommandCenter.activate
securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.checkEligibility
securitycentermanagement.securityCommandCenter.checkOnboardingStatus
securitycentermanagement.securityCommandCenter.generateServiceAccounts
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityCommandCenter.update
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update
Security Center Management Settings Viewer
(roles/securitycentermanagement.settingsViewer
)
Readonly access to Cloud Security Command Center settings
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.organizationsettings.get
securitycenter.securitycentersettings.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.*
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.*
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
Security Center Management SHA Custom Modules Editor
(roles/securitycentermanagement.shaCustomModulesEditor
)
Full access to manage Cloud Security Command Center SHA custom modules.
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.locations.*
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.*
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
securitycentermanagement.securityHealthAnalyticsCustomModules.update
Security Center Management SHA Custom Modules Viewer
(roles/securitycentermanagement.shaCustomModulesViewer
)
Readonly access to Cloud Security Command Center SHA custom modules.
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.locations.*
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
Security Center Management Viewer
(roles/securitycentermanagement.viewer
)
Readonly access to Cloud Security Command Center services and custom modules configuration.
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.organizationsettings.get
securitycenter.securitycentersettings.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.*
securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.get
securitycentermanagement.eventThreatDetectionCustomModules.list
securitycentermanagement.eventThreatDetectionCustomModules.validate
securitycentermanagement.locations.*
securitycentermanagement.locations.get
securitycentermanagement.locations.list
securitycentermanagement.securityCenterServices.get
securitycentermanagement.securityCenterServices.list
securitycentermanagement.securityCommandCenter.checkActivationOperation
securitycentermanagement.securityCommandCenter.get
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
securitycentermanagement.securityHealthAnalyticsCustomModules.test
Roles de IAM en el servicio de estado de seguridad
A continuación, se muestra una lista de los roles y permisos de IAM disponibles para el servicio de estado de seguridad y la infraestructura como función de validación de código. Puedes otorgar estos roles a nivel de la organización, la carpeta o el proyecto. Ten en cuenta que el rol de administrador de la postura de seguridad solo está disponible a nivel de la organización.
Rol
Permisos
Administrador de la postura de seguridad
(roles/securityposture.admin
)
Tiene acceso completo a las APIs del servicio de postura de seguridad.
orgpolicy.*
orgpolicy.constraints.list
orgpolicy.customConstraints.create
orgpolicy.customConstraints.delete
orgpolicy.customConstraints.get
orgpolicy.customConstraints.list
orgpolicy.customConstraints.update
orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update
orgpolicy.policy.get
orgpolicy.policy.set
resourcemanager.organizations.get
securitycenter.securityhealthanalyticssettings.*
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.securityhealthanalyticssettings.update
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.get
securitycentermanagement.securityHealthAnalyticsCustomModules.list
securitycentermanagement.securityHealthAnalyticsCustomModules.update
securityposture.*
securityposture.locations.get
securityposture.locations.list
securityposture.operations.delete
securityposture.operations.get
securityposture.operations.list
securityposture.postureDeployments.create
securityposture.postureDeployments.delete
securityposture.postureDeployments.get
securityposture.postureDeployments.list
securityposture.postureDeployments.update
securityposture.postureTemplates.get
securityposture.postureTemplates.list
securityposture.postures.create
securityposture.postures.delete
securityposture.postures.extract
securityposture.postures.get
securityposture.postures.list
securityposture.postures.update
securityposture.reports.create
securityposture.reports.get
securityposture.reports.list
Editor de recursos de la postura de seguridad
(roles/securityposture.postureEditor
)
Tiene permisos de lectura y modificación para el recurso de postura.
securityposture.operations.get
securityposture.postures.*
securityposture.postures.create
securityposture.postures.delete
securityposture.postures.extract
securityposture.postures.get
securityposture.postures.list
securityposture.postures.update
Implementador de la postura de seguridad
(roles/securityposture.postureDeployer
)
Tiene permisos de lectura y modificación para el recurso de implementación de posturas.
orgpolicy.*
orgpolicy.constraints.list
orgpolicy.customConstraints.create
orgpolicy.customConstraints.delete
orgpolicy.customConstraints.get
orgpolicy.customConstraints.list
orgpolicy.customConstraints.update
orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update
orgpolicy.policy.get
orgpolicy.policy.set
resourcemanager.organizations.get
securitycenter.securityhealthanalyticssettings.*
securitycenter.securityhealthanalyticssettings.calculate
securitycenter.securityhealthanalyticssettings.get
securitycenter.securityhealthanalyticssettings.update
securitycentermanagement.securityHealthAnalyticsCustomModules.create
securitycentermanagement.securityHealthAnalyticsCustomModules.delete
securitycentermanagement.securityHealthAnalyticsCustomModules.update
securityposture.operations.get
securityposture.postureDeployments.*
securityposture.postureDeployments.create
securityposture.postureDeployments.delete
securityposture.postureDeployments.get
securityposture.postureDeployments.list
securityposture.postureDeployments.update
Visualizador de recursos de la postura de seguridad
(roles/securityposture.postureViewer
)
Tiene acceso de solo lectura al recurso de postura.
resourcemanager.organizations.get
securityposture.operations.get
securityposture.postures.get
securityposture.postures.list
Visualizador de implementaciones de la postura de seguridad
(roles/securityposture.postureDeploymentsViewer
)
Tiene acceso de solo lectura al recurso de implementación de posturas.
resourcemanager.organizations.get
securityposture.operations.get
securityposture.postureDeployments.get
securityposture.postureDeployments.list
Validador de detección temprana de la postura de seguridad
(roles/securityposture.reportCreator
)
Otorga acceso para crear informes (p. ej., el Informe de validación de IaC).
securityposture.operations.get
securityposture.reports.*
securityposture.reports.create
securityposture.reports.get
securityposture.reports.list
Visualizador de la postura de seguridad
(roles/securityposture.viewer
)
Tiene acceso de solo lectura a todos los recursos del servicio SecurityPosture.
resourcemanager.organizations.get
securityposture.operations.get
securityposture.postureDeployments.get
securityposture.postureDeployments.list
securityposture.postureTemplates.*
securityposture.postureTemplates.get
securityposture.postureTemplates.list
securityposture.postures.get
securityposture.postures.list
Funciones del Agente de servicio
Un agente de servicio permite que un servicio acceda a tus recursos.
Después de activar Security Command Center, se crean dos agentes de servicio:
service-org-ORGANIZATION_ID @security-center-api.iam.gserviceaccount.com
Este agente de servicio requiere el rol de IAM roles/securitycenter.serviceAgent
.
service-org-ORGANIZATION_ID @gcp-sa-ktd-hpsa.iam.gserviceaccount.com
Este agente de servicio requiere el rol de IAM roles/containerthreatdetection.serviceAgent
.
Durante el proceso de activación de Security Command Center, se te solicita que otorgues uno o más roles de IAM obligatorios a cada agente de servicio. Para que Security Command Center funcione, es necesario otorgar los roles a cada agente de servicio.
Para ver los permisos de cada rol, consulta lo siguiente:
Para otorgar los roles, debes tener el rol roles/resourcemanager.organizationAdmin
.
Si no tienes el rol roles/resourcemanager.organizationAdmin
,
el administrador de tu organización puede otorgar los roles a los agentes de servicio
por ti con el siguiente comando de gcloud CLI:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member="SERVICE_AGENT_NAME " \
--role="IAM_ROLE "
Reemplaza lo siguiente:
ORGANIZATION_ID
: El ID de tu organización.
SERVICE_AGENT_NAME
: Es el nombre del agente de servicio al que le otorgas el rol. El nombre es uno de los siguientes
nombres de agente de servicio:
service-org-ORGANIZATION_ID @security-center-api.iam.gserviceaccount.com
service-org-ORGANIZATION_ID @gcp-sa-ktd-hpsa.iam.gserviceaccount.com
IAM_ROLE
: El siguiente rol obligatorio que corresponde al agente de servicio especificado:
roles/securitycenter.serviceAgent
roles/containerthreatdetection.serviceAgent
Para obtener más información sobre las funciones de IAM, consulta Comprende las funciones .
Web Security Scanner
Las funciones de IAM prescriben cómo puedes usar Web Security Scanner. En las tablas siguientes, se incluye cada función de IAM disponible para Web Security Scanner y los métodos disponibles para ellos. Otorga estas funciones a nivel de proyecto .
Para dar a los usuarios la capacidad de crear y administrar análisis de seguridad, puedes agregar usuarios a tu proyecto y otorgarles permisos mediante funciones.
Web Security Scanner admite funciones básicas y funciones predefinidas que brindan un acceso más detallado a los recursos de Web Security Scanner.
Funciones de IAM básicas
A continuación, se describen los permisos de Web Security Scanner que otorgan las funciones básicas.
Función
Descripción
Propietario
Acceso completo a todos los recursos de Web Security Scanner
Editor
Acceso completo a todos los recursos de Web Security Scanner
Lector
Sin acceso a Web Security Scanner
Funciones predefinidas de IAM
A continuación, se describen los permisos de Web Security Scanner que otorgan las funciones de Web Security Scanner.
Role
Permissions
Web Security Scanner Editor
(roles/cloudsecurityscanner.editor
)
Full access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
appengine.applications.get
cloudsecurityscanner.*
cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.results.get
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.create
cloudsecurityscanner.scans.delete
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run
cloudsecurityscanner.scans.update
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Web Security Scanner Runner
(roles/cloudsecurityscanner.runner
)
Read access to Scan and ScanRun, plus the ability to start scans
Lowest-level resources where you can grant this role:
cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run
Web Security Scanner Viewer
(roles/cloudsecurityscanner.viewer
)
Read access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.results.*
cloudsecurityscanner.results.get
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Para obtener más información sobre las funciones de IAM, consulta Comprende las funciones .