Cette page explique comment utiliser Identity and Access Management (IAM) pour contrôler l'accès aux ressources lors de l'activation de Security Command Center au niveau de l'organisation .
Cette page vous concerne si l'une des conditions suivantes s'applique:
Security Command Center est activé au niveau de l'organisation et non au niveau du projet.
Security Command Center Standard est déjà activé au niveau de l'organisation.
De plus, Security Command Center Premium est activé sur un ou plusieurs projets.
Si vous avez activé Security Command Center au niveau du projet, et non au niveau de l'organisation, consultez plutôt la page IAM pour les activations au niveau du projet .
Lorsque vous activez Security Command Center au niveau de l'organisation, vous pouvez contrôler l'accès aux ressources à différents niveaux de votre hiérarchie des ressources. Security Command Center utilise des rôles IAM pour vous permettre de contrôler qui peut faire quoi avec les éléments, les résultats et les sources de sécurité de votre environnement Security Command Center. Vous attribuez des rôles à des individus et à des applications, et chaque rôle fournit des autorisations spécifiques.
Autorisations
Pour configurer Security Command Center ou modifier la configuration de votre organisation, vous avez besoin des deux rôles suivants au niveau de l'organisation :
Administrateur de l'organisation (roles/resourcemanager.organizationAdmin
)
Administrateur du centre de sécurité (roles/securitycenter.admin
)
Si un utilisateur ne nécessite pas de droits de modification, pensez à lui accorder des rôles de lecteur.
Pour afficher tous les éléments, résultats et chemins d'attaque dans Security Command Center, les utilisateurs doivent disposer du rôle Lecteur de l'administrateur du centre de sécurité (roles/securitycenter.adminViewer
) au niveau de l'organisation.
Pour afficher les paramètres, les utilisateurs doivent disposer du rôle Administrateur du centre de sécurité (roles/securitycenter.admin
) au niveau de l'organisation.
Pour restreindre l'accès à des dossiers et projets individuels, n'attribuez pas tous les rôles au niveau de l'organisation. Accordez plutôt les rôles suivants au niveau du dossier ou du projet :
Lecteur d'éléments du centre de sécurité (roles/securitycenter.assetsViewer
)
Lecteur de résultats du centre de sécurité (roles/securitycenter.findingsViewer
)
Rôles au niveau de l'organisation
Lorsque des rôles IAM sont appliqués au niveau de l'organisation, les projets et dossiers de cette organisation héritent de ses liaisons de rôles .
La figure suivante illustre une hiérarchie de ressources Security Command Center classique avec des rôles accordés au niveau de l'organisation.
Hiérarchie de ressources Security Command Center et rôles au niveau de l'organisation (cliquez pour agrandir)
Les rôles IAM incluent des autorisations permettant d'afficher, de modifier, de mettre à jour, de créer ou de supprimer des ressources. Les rôles attribués au niveau de l'organisation dans Security Command Center vous permettent d'appliquer des actions prescrites aux résultats, aux éléments et aux sources de sécurité dans l'ensemble de votre organisation. Par exemple, un utilisateur disposant du rôle Éditeur de résultats du centre de sécurité (roles/securitycenter.findingsEditor
) peut afficher ou modifier les résultats associés à n'importe quelle ressource dans tout projet ou dossier de votre organisation.
Avec cette structure, il n'est pas nécessaire d'attribuer des rôles aux utilisateurs dans chaque dossier ou projet.
Pour obtenir des instructions sur la gestion des rôles et des autorisations, consultez la page Gérer l'accès aux projets, aux dossiers et aux organisations .
Les rôles au niveau de l'organisation ne conviennent pas à tous les cas d'utilisation, en particulier pour les applications sensibles ou les normes de conformité qui nécessitent un contrôle des accès strict. Pour créer des règles d'accès précises, vous pouvez attribuer des rôles au niveau du dossier et du projet.
Rôles au niveau du dossier et du projet
Security Command Center vous permet d'attribuer des rôles IAM de Security Command Center pour des dossiers et des projets spécifiques, afin de créer plusieurs vues, ou silos, au sein de votre organisation. Vous accordez aux utilisateurs et aux groupes différentes autorisations d'accès et de modification aux dossiers et aux projets de votre organisation.
La vidéo suivante explique comment attribuer des rôles au niveau du dossier et du projet, et comment les gérer dans le tableau de bord Security Command Center.
Grâce aux rôles de dossier et de projet, les utilisateurs disposant de rôles Security Command Center peuvent gérer les éléments et les résultats dans des projets ou des dossiers désignés. Par exemple, un ingénieur de la sécurité peut disposer d'un accès limité à certains dossiers et projets, tandis qu'un administrateur de la sécurité peut gérer toutes les ressources au niveau de l'organisation.
Les rôles liés aux dossiers et aux projets permettent d'appliquer des autorisations Security Command Center à des niveaux inférieurs de la hiérarchie de ressources de votre organisation. En revanche, ils ne modifient pas la hiérarchie. La figure suivante montre un utilisateur disposant des autorisations Security Command Center pour accéder aux résultats d'un projet spécifique.
Hiérarchie des ressources Security Command Center et rôles au niveau du projet : les éléments en pointillés sont inaccessibles (cliquez pour agrandir)
Les utilisateurs disposant de rôles de dossier et de projet voient un sous-ensemble de ressources d'une organisation.
Toutes les actions qu'ils effectuent sont limitées au même champ d'application. Par exemple, si un utilisateur est autorisé à accéder à un dossier, il peut accéder aux ressources de n'importe quel projet du dossier. Les autorisations associées à un projet permettent aux utilisateurs d'accéder aux ressources de ce projet.
Pour obtenir des instructions sur la gestion des rôles et des autorisations, consultez la page Gérer l'accès aux projets, aux dossiers et aux organisations .
Restrictions applicables aux rôles
En attribuant des rôles Security Command Center au niveau du dossier ou du projet, les administrateurs Security Command Center peuvent effectuer les opérations suivantes:
limiter les autorisations d'affichage ou de modification Security Command Center à des dossiers et des projets spécifiques ;
Accorder des autorisations d'affichage et de modification à des groupes d'éléments ou de résultats à des utilisateurs ou à des équipes spécifiques ;
Restreindre la possibilité d'afficher ou de modifier les détails des résultats, y compris les mises à jour des marques de sécurité et l'état des résultats, aux individus ou aux groupes ayant accès au résultat sous-jacent ;
Contrôler l'accès aux paramètres de Security Command Center, qui ne peuvent être consultés que par les personnes disposant de rôles au niveau de l'organisation.
Fonctions de Security Command Center
Les fonctions de Security Command Center sont également limitées en fonction des autorisations d'affichage et de modification.
Dans la console Google Cloud, Security Command Center permet aux utilisateurs ne disposant pas d'autorisations au niveau de l'organisation de choisir uniquement les ressources auxquelles ils ont accès. Leur sélection met à jour tous les éléments de l'interface utilisateur, y compris les éléments, les résultats et les commandes de paramètres. Les utilisateurs voient les droits associés à leurs rôles et s'ils peuvent accéder aux résultats ou les modifier dans leur champ d'application actuel.
L'API Security Command Center et Google Cloud CLI limitent également les fonctions aux dossiers et projets prescrits. Si des appels permettant de répertorier ou de regrouper des éléments et des résultats sont effectués par des utilisateurs disposant de rôles de dossier ou de projet, seuls les résultats ou les éléments associés à ces champs d'application sont renvoyés.
Pour les activations de Security Command Center au niveau de l'organisation, les appels pour créer ou mettre à jour des résultats et les notifications de résultats ne prennent en charge que le champ d'application de l'organisation.
Pour effectuer ces tâches, vous devez disposer de rôles au niveau de l'organisation.
Pour afficher les chemins d'attaque générés par les simulations de chemin d'attaque, les autorisations appropriées doivent être accordées au niveau de l'organisation et la vue de la console Google Cloud doit être définie sur l'organisation.
Ressources parentes des résultats
En règle générale, un résultat est associé à une ressource, telle qu'une machine virtuelle (VM) ou un pare-feu. Security Command Center associe les résultats au conteneur le plus immédiat pour la ressource qui a généré le résultat. Par exemple, si une VM génère un résultat, celui-ci est associé au projet contenant la VM. Les résultats qui ne sont pas associés à une ressource Google Cloud sont associés à l'organisation et sont visibles par toute personne disposant des autorisations Security Command Center au niveau de l'organisation.
Rôles IAM dans Security Command Center
Vous trouverez ci-dessous la liste des rôles IAM disponibles pour Security Command Center, ainsi que les autorisations qu'ils comprennent. Security Command Center permet d'attribuer ces rôles au niveau de l'organisation, d'un dossier ou d'un projet.
Role
Permissions
Security Center Admin
(roles/ securitycenter.admin
)
Admin(super user) access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry. dockerimages.*
artifactregistry. dockerimages. get
artifactregistry. dockerimages. list
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.locations.get
artifactregistry. locations. list
artifactregistry. mavenartifacts.*
artifactregistry. mavenartifacts. get
artifactregistry. mavenartifacts. list
artifactregistry.npmpackages.*
artifactregistry. npmpackages. get
artifactregistry. npmpackages. list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. pythonpackages. get
artifactregistry. pythonpackages. list
artifactregistry. repositories. create
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.*
assuredoss.config.get
assuredoss.customers.create
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.cancel
assuredoss.operations.delete
assuredoss.operations.get
assuredoss.operations.list
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudsecurityscanner.*
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner. results. get
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner. scanruns. stop
cloudsecurityscanner. scans. create
cloudsecurityscanner. scans. delete
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
cloudsecurityscanner.scans.run
cloudsecurityscanner. scans. update
compute.addresses.list
iam.serviceAccountKeys.create
iam.serviceAccounts.create
iam.serviceAccounts.get
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.create
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.*
securitycenter.assets.group
securitycenter.assets.list
securitycenter. assets. listAssetPropertyNames
securitycenter. assets. runDiscovery
securitycenter. assetsecuritymarks. update
securitycenter. attackpaths. list
securitycenter. bigQueryExports. create
securitycenter. bigQueryExports. delete
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. bigQueryExports. update
securitycenter. compliancesnapshots. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. containerthreatdetectionsettings. update
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. eventthreatdetectionsettings. update
securitycenter. exposurepathexplan. get
securitycenter. findingexplanations. get
securitycenter. findingexternalsystems. update
securitycenter. findings. bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. findings. setMute
securitycenter. findings. setState
securitycenter. findings. setWorkflowState
securitycenter.findings.update
securitycenter. findingsecuritymarks. update
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter. integratedvulnerabilityscannersettings. update
securitycenter. muteconfigs. create
securitycenter. muteconfigs. delete
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. muteconfigs. update
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. notificationconfig. update
securitycenter. organizationsettings. get
securitycenter. organizationsettings. update
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. update
securitycenter. resourcevalueconfigs. create
securitycenter. resourcevalueconfigs. delete
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
securitycenter. resourcevalueconfigs. update
securitycenter. securitycentersettings. get
securitycenter. securitycentersettings. update
securitycenter. securityhealthanalyticscustommodules. create
securitycenter. securityhealthanalyticscustommodules. delete
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. simulate
securitycenter. securityhealthanalyticscustommodules. test
securitycenter. securityhealthanalyticscustommodules. update
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. securityhealthanalyticssettings. update
securitycenter.simulations.get
securitycenter.sources.get
securitycenter. sources. getIamPolicy
securitycenter.sources.list
securitycenter. sources. setIamPolicy
securitycenter.sources.update
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. valuedresources. list
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. virtualmachinethreatdetectionsettings. update
securitycenter. vulnerabilitysnapshots. list
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycenter. websecurityscannersettings. update
securitycentermanagement.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. create
securitycentermanagement. eventThreatDetectionCustomModules. delete
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. update
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCenterServices. update
securitycentermanagement. securityCommandCenter. activate
securitycentermanagement. securityCommandCenter. checkActivationOperation
securitycentermanagement. securityCommandCenter. checkEligibility
securitycentermanagement. securityCommandCenter. generateServiceAccounts
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityCommandCenter. update
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
securitycentermanagement. securityHealthAnalyticsCustomModules. update
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Security Center Admin Editor
(roles/ securitycenter.adminEditor
)
Admin Read-write access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry. dockerimages.*
artifactregistry. dockerimages. get
artifactregistry. dockerimages. list
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.locations.get
artifactregistry. locations. list
artifactregistry. mavenartifacts.*
artifactregistry. mavenartifacts. get
artifactregistry. mavenartifacts. list
artifactregistry.npmpackages.*
artifactregistry. npmpackages. get
artifactregistry. npmpackages. list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. pythonpackages. get
artifactregistry. pythonpackages. list
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.*
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudsecurityscanner.*
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner. results. get
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner. scanruns. stop
cloudsecurityscanner. scans. create
cloudsecurityscanner. scans. delete
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
cloudsecurityscanner.scans.run
cloudsecurityscanner. scans. update
compute.addresses.list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.*
securitycenter.assets.group
securitycenter.assets.list
securitycenter. assets. listAssetPropertyNames
securitycenter. assets. runDiscovery
securitycenter. assetsecuritymarks. update
securitycenter. attackpaths. list
securitycenter. bigQueryExports.*
securitycenter. bigQueryExports. create
securitycenter. bigQueryExports. delete
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. bigQueryExports. update
securitycenter. compliancesnapshots. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. exposurepathexplan. get
securitycenter. findingexplanations. get
securitycenter. findingexternalsystems. update
securitycenter.findings.*
securitycenter. findings. bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. findings. setMute
securitycenter. findings. setState
securitycenter. findings. setWorkflowState
securitycenter.findings.update
securitycenter. findingsecuritymarks. update
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter.muteconfigs.*
securitycenter. muteconfigs. create
securitycenter. muteconfigs. delete
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. muteconfigs. update
securitycenter. notificationconfig.*
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. notificationconfig. update
securitycenter. organizationsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. resourcevalueconfigs.*
securitycenter. resourcevalueconfigs. create
securitycenter. resourcevalueconfigs. delete
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
securitycenter. resourcevalueconfigs. update
securitycenter. securitycentersettings. get
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. simulate
securitycenter. securityhealthanalyticscustommodules. test
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. valuedresources. list
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. vulnerabilitysnapshots. list
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCommandCenter. generateServiceAccounts
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityCommandCenter. update
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Admin Viewer
(roles/ securitycenter.adminViewer
)
Admin Read access to security center
Lowest-level resources where you can grant this role:
artifactregistry. dockerimages.*
artifactregistry. dockerimages. get
artifactregistry. dockerimages. list
artifactregistry. files. download
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.locations.get
artifactregistry. locations. list
artifactregistry. mavenartifacts.*
artifactregistry. mavenartifacts. get
artifactregistry. mavenartifacts. list
artifactregistry.npmpackages.*
artifactregistry. npmpackages. get
artifactregistry. npmpackages. list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. projectsettings. get
artifactregistry. pythonpackages.*
artifactregistry. pythonpackages. get
artifactregistry. pythonpackages. list
artifactregistry. repositories. downloadArtifacts
artifactregistry. repositories. get
artifactregistry. repositories. list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. readViaVirtualRepository
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.locations.get
assuredoss.locations.list
assuredoss.metadata.*
assuredoss.metadata.get
assuredoss.metadata.list
assuredoss.operations.get
assuredoss.operations.list
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner.results.*
cloudsecurityscanner. results. get
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter. assets. listAssetPropertyNames
securitycenter. attackpaths. list
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. compliancesnapshots. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. exposurepathexplan. get
securitycenter. findingexplanations. get
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. organizationsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
securitycenter. securitycentersettings. get
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. simulate
securitycenter. securityhealthanalyticscustommodules. test
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. valuedresources. list
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. vulnerabilitysnapshots. list
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Asset Security Marks Writer
(roles/ securitycenter.assetSecurityMarksWriter
)
Write access to asset security marks
Lowest-level resources where you can grant this role:
securitycenter. assetsecuritymarks. update
securitycenter. userinterfacemetadata. get
Security Center Assets Discovery Runner
(roles/ securitycenter.assetsDiscoveryRunner
)
Run asset discovery access to assets
Lowest-level resources where you can grant this role:
securitycenter. assets. runDiscovery
securitycenter. userinterfacemetadata. get
Security Center Assets Viewer
(roles/ securitycenter.assetsViewer
)
Read access to assets
Lowest-level resources where you can grant this role:
cloudasset. assets. exportIamPolicy
cloudasset. assets. exportOSInventories
cloudasset. assets. exportResource
cloudasset. assets. queryAccessPolicy
cloudasset. assets. queryIamPolicy
cloudasset. assets. queryOSInventories
cloudasset. assets. queryResource
cloudasset. assets. searchAllIamPolicies
cloudasset. assets. searchAllResources
resourcemanager.folders.get
resourcemanager. organizations. get
resourcemanager.projects.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter. assets. listAssetPropertyNames
securitycenter. userinterfacemetadata. get
Security Center Attack Paths Reader
(roles/ securitycenter.attackPathsViewer
)
Read access to security center attack paths
securitycenter. attackpaths. list
Security Center BigQuery Exports Editor
(roles/ securitycenter.bigQueryExportsEditor
)
Read-Write access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports.*
securitycenter. bigQueryExports. create
securitycenter. bigQueryExports. delete
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. bigQueryExports. update
Security Center BigQuery Exports Viewer
(roles/ securitycenter.bigQueryExportsViewer
)
Read access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
Security Center Compliance Snapshots Viewer
Beta
(roles/ securitycenter.complianceSnapshotsViewer
)
Read access to security center compliance snapshots
securitycenter. compliancesnapshots. list
Security Center External Systems Editor
(roles/ securitycenter.externalSystemsEditor
)
Write access to security center external systems
securitycenter. findingexternalsystems. update
Security Center Finding Security Marks Writer
(roles/ securitycenter.findingSecurityMarksWriter
)
Write access to finding security marks
Lowest-level resources where you can grant this role:
securitycenter. findingsecuritymarks. update
securitycenter. userinterfacemetadata. get
Security Center Findings Bulk Mute Editor
(roles/ securitycenter.findingsBulkMuteEditor
)
Ability to mute findings in bulk
securitycenter. findings. bulkMuteUpdate
Security Center Findings Editor
(roles/ securitycenter.findingsEditor
)
Read-write access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager. organizations. get
resourcemanager.projects.get
securitycenter. compliancesnapshots. list
securitycenter. findingexplanations. get
securitycenter. findings. bulkMuteUpdate
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter. findings. setMute
securitycenter. findings. setState
securitycenter.findings.update
securitycenter.sources.get
securitycenter.sources.list
securitycenter. userinterfacemetadata. get
securitycenter. vulnerabilitysnapshots. list
Security Center Findings Mute Setter
(roles/ securitycenter.findingsMuteSetter
)
Set mute access to findings
securitycenter. findings. setMute
Security Center Findings State Setter
(roles/ securitycenter.findingsStateSetter
)
Set state access to findings
Lowest-level resources where you can grant this role:
securitycenter. findings. setState
securitycenter. userinterfacemetadata. get
Security Center Findings Viewer
(roles/ securitycenter.findingsViewer
)
Read access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager. organizations. get
resourcemanager.projects.get
securitycenter. compliancesnapshots. list
securitycenter. findingexplanations. get
securitycenter.findings.group
securitycenter.findings.list
securitycenter. findings. listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
securitycenter. userinterfacemetadata. get
securitycenter. vulnerabilitysnapshots. list
Security Center Findings Workflow State Setter
Beta
(roles/ securitycenter.findingsWorkflowStateSetter
)
Set workflow state access to findings
Lowest-level resources where you can grant this role:
securitycenter. findings. setWorkflowState
securitycenter. userinterfacemetadata. get
Security Center Mute Configurations Editor
(roles/ securitycenter.muteConfigsEditor
)
Read-Write access to security center mute configurations
securitycenter.muteconfigs.*
securitycenter. muteconfigs. create
securitycenter. muteconfigs. delete
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. muteconfigs. update
Security Center Mute Configurations Viewer
(roles/ securitycenter.muteConfigsViewer
)
Read access to security center mute configurations
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
Security Center Notification Configurations Editor
(roles/ securitycenter.notificationConfigEditor
)
Write access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter. notificationconfig.*
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. notificationconfig. update
securitycenter. userinterfacemetadata. get
Security Center Notification Configurations Viewer
(roles/ securitycenter.notificationConfigViewer
)
Read access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. userinterfacemetadata. get
Security Center Resource Value Configurations Editor
(roles/ securitycenter.resourceValueConfigsEditor
)
Read-Write access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter. resourcevalueconfigs.*
securitycenter. resourcevalueconfigs. create
securitycenter. resourcevalueconfigs. delete
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
securitycenter. resourcevalueconfigs. update
Security Center Resource Value Configurations Viewer
(roles/ securitycenter.resourceValueConfigsViewer
)
Read access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter. resourcevalueconfigs. get
securitycenter. resourcevalueconfigs. list
Security Health Analytics Custom Modules Tester
(roles/ securitycenter.securityHealthAnalyticsCustomModulesTester
)
Test access to Security Health Analytics Custom Modules
securitycenter. securityhealthanalyticscustommodules. simulate
securitycenter. securityhealthanalyticscustommodules. test
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
Security Center Settings Admin
(roles/ securitycenter.settingsAdmin
)
Admin(super user) access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports.*
securitycenter. bigQueryExports. create
securitycenter. bigQueryExports. delete
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. bigQueryExports. update
securitycenter. containerthreatdetectionsettings.*
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. containerthreatdetectionsettings. update
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings.*
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. eventthreatdetectionsettings. update
securitycenter. integratedvulnerabilityscannersettings.*
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter. integratedvulnerabilityscannersettings. update
securitycenter.muteconfigs.*
securitycenter. muteconfigs. create
securitycenter. muteconfigs. delete
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. muteconfigs. update
securitycenter. notificationconfig.*
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. notificationconfig. update
securitycenter. organizationsettings.*
securitycenter. organizationsettings. get
securitycenter. organizationsettings. update
securitycenter. rapidvulnerabilitydetectionsettings.*
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. update
securitycenter. securitycentersettings.*
securitycenter. securitycentersettings. get
securitycenter. securitycentersettings. update
securitycenter. securityhealthanalyticscustommodules. create
securitycenter. securityhealthanalyticscustommodules. delete
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. update
securitycenter. securityhealthanalyticssettings.*
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. securityhealthanalyticssettings. update
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. virtualmachinethreatdetectionsettings.*
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. virtualmachinethreatdetectionsettings. update
securitycenter. websecurityscannersettings.*
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycenter. websecurityscannersettings. update
securitycentermanagement.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. create
securitycentermanagement. eventThreatDetectionCustomModules. delete
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. update
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCenterServices. update
securitycentermanagement. securityCommandCenter. activate
securitycentermanagement. securityCommandCenter. checkActivationOperation
securitycentermanagement. securityCommandCenter. checkEligibility
securitycentermanagement. securityCommandCenter. generateServiceAccounts
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityCommandCenter. update
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
securitycentermanagement. securityHealthAnalyticsCustomModules. update
Security Center Settings Editor
(roles/ securitycenter.settingsEditor
)
Read-Write access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports.*
securitycenter. bigQueryExports. create
securitycenter. bigQueryExports. delete
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. bigQueryExports. update
securitycenter. containerthreatdetectionsettings.*
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. containerthreatdetectionsettings. update
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings.*
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. eventthreatdetectionsettings. update
securitycenter. integratedvulnerabilityscannersettings.*
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter. integratedvulnerabilityscannersettings. update
securitycenter.muteconfigs.*
securitycenter. muteconfigs. create
securitycenter. muteconfigs. delete
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. muteconfigs. update
securitycenter. notificationconfig.*
securitycenter. notificationconfig. create
securitycenter. notificationconfig. delete
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. notificationconfig. update
securitycenter. organizationsettings.*
securitycenter. organizationsettings. get
securitycenter. organizationsettings. update
securitycenter. rapidvulnerabilitydetectionsettings.*
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. update
securitycenter. securitycentersettings.*
securitycenter. securitycentersettings. get
securitycenter. securitycentersettings. update
securitycenter. securityhealthanalyticscustommodules. create
securitycenter. securityhealthanalyticscustommodules. delete
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticscustommodules. update
securitycenter. securityhealthanalyticssettings.*
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. securityhealthanalyticssettings. update
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. virtualmachinethreatdetectionsettings.*
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. virtualmachinethreatdetectionsettings. update
securitycenter. websecurityscannersettings.*
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycenter. websecurityscannersettings. update
securitycentermanagement.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. create
securitycentermanagement. eventThreatDetectionCustomModules. delete
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. update
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCenterServices. update
securitycentermanagement. securityCommandCenter. activate
securitycentermanagement. securityCommandCenter. checkActivationOperation
securitycentermanagement. securityCommandCenter. checkEligibility
securitycentermanagement. securityCommandCenter. generateServiceAccounts
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityCommandCenter. update
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
securitycentermanagement. securityHealthAnalyticsCustomModules. update
Security Center Settings Viewer
(roles/ securitycenter.settingsViewer
)
Read access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager. organizations. get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter. bigQueryExports. get
securitycenter. bigQueryExports. list
securitycenter. containerthreatdetectionsettings. calculate
securitycenter. containerthreatdetectionsettings. get
securitycenter. effectivesecurityhealthanalyticscustommodules.*
securitycenter. effectivesecurityhealthanalyticscustommodules. get
securitycenter. effectivesecurityhealthanalyticscustommodules. list
securitycenter. eventthreatdetectionsettings. calculate
securitycenter. eventthreatdetectionsettings. get
securitycenter. integratedvulnerabilityscannersettings. calculate
securitycenter. integratedvulnerabilityscannersettings. get
securitycenter.muteconfigs.get
securitycenter. muteconfigs. list
securitycenter. notificationconfig. get
securitycenter. notificationconfig. list
securitycenter. organizationsettings. get
securitycenter. rapidvulnerabilitydetectionsettings. calculate
securitycenter. rapidvulnerabilitydetectionsettings. get
securitycenter. securitycentersettings. get
securitycenter. securityhealthanalyticscustommodules. get
securitycenter. securityhealthanalyticscustommodules. list
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. subscription. get
securitycenter. userinterfacemetadata. get
securitycenter. virtualmachinethreatdetectionsettings. calculate
securitycenter. virtualmachinethreatdetectionsettings. get
securitycenter. websecurityscannersettings. calculate
securitycenter. websecurityscannersettings. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules.*
securitycentermanagement. effectiveEventThreatDetectionCustomModules. get
securitycentermanagement. effectiveEventThreatDetectionCustomModules. list
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. get
securitycentermanagement. eventThreatDetectionCustomModules. list
securitycentermanagement. eventThreatDetectionCustomModules. validate
securitycentermanagement. locations.*
securitycentermanagement. locations. get
securitycentermanagement. locations. list
securitycentermanagement. securityCenterServices. get
securitycentermanagement. securityCenterServices. list
securitycentermanagement. securityCommandCenter. get
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. simulate
securitycentermanagement. securityHealthAnalyticsCustomModules. test
Security Center Simulations Reader
(roles/ securitycenter.simulationsViewer
)
Read access to security center simulations
securitycenter.simulations.get
Security Center Sources Admin
(roles/ securitycenter.sourcesAdmin
)
Admin access to sources
Lowest-level resources where you can grant this role:
resourcemanager. organizations. get
securitycenter.sources.*
securitycenter.sources.get
securitycenter. sources. getIamPolicy
securitycenter.sources.list
securitycenter. sources. setIamPolicy
securitycenter.sources.update
securitycenter. userinterfacemetadata. get
Security Center Sources Editor
(roles/ securitycenter.sourcesEditor
)
Read-write access to sources
Lowest-level resources where you can grant this role:
resourcemanager. organizations. get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter. userinterfacemetadata. get
Security Center Sources Viewer
(roles/ securitycenter.sourcesViewer
)
Read access to sources
Lowest-level resources where you can grant this role:
resourcemanager. organizations. get
securitycenter.sources.get
securitycenter.sources.list
securitycenter. userinterfacemetadata. get
Security Center Valued Resources Reader
(roles/ securitycenter.valuedResourcesViewer
)
Read access to security center valued resources
securitycenter. valuedresources. list
Rôles IAM dans le service de stratégie de sécurité
Vous trouverez ci-dessous la liste des rôles et autorisations IAM disponibles pour le service de stratégie de sécurité et la fonctionnalité de validation de l'Infrastructure as Code.
Vous pouvez attribuer ces rôles au niveau de l'organisation, d'un dossier ou d'un projet.
Notez que le rôle Administrateur de stratégie de sécurité n'est disponible qu'au niveau de l'organisation.
Rôle
Autorisations
Administrateur de stratégie de sécurité
(roles/ securityposture.admin
)
Accès complet aux API du service de stratégie de sécurité.
orgpolicy.*
orgpolicy.constraints.list
orgpolicy. customConstraints. create
orgpolicy. customConstraints. delete
orgpolicy. customConstraints. get
orgpolicy. customConstraints. list
orgpolicy. customConstraints. update
orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update
orgpolicy.policy.get
orgpolicy.policy.set
resourcemanager. organizations. get
securitycenter. securityhealthanalyticssettings.*
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. securityhealthanalyticssettings. update
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules.*
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. get
securitycentermanagement. effectiveSecurityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. get
securitycentermanagement. securityHealthAnalyticsCustomModules. list
securitycentermanagement. securityHealthAnalyticsCustomModules. update
securityposture.*
securityposture.locations.get
securityposture.locations.list
securityposture. operations. delete
securityposture.operations.get
securityposture. operations. list
securityposture. postureDeployments. create
securityposture. postureDeployments. delete
securityposture. postureDeployments. get
securityposture. postureDeployments. list
securityposture. postureDeployments. update
securityposture. postureTemplates. get
securityposture. postureTemplates. list
securityposture. postures. create
securityposture. postures. delete
securityposture. postures. extract
securityposture.postures.get
securityposture.postures.list
securityposture. postures. update
securityposture.reports.create
securityposture.reports.get
securityposture.reports.list
Éditeur de la ressource de stratégie de sécurité
(roles/ securityposture.postureEditor
)
Autorisations permettant de lire et modifier la ressource de stratégie.
securityposture.operations.get
securityposture.postures.*
securityposture. postures. create
securityposture. postures. delete
securityposture. postures. extract
securityposture.postures.get
securityposture.postures.list
securityposture. postures. update
Déployeur de stratégie de sécurité
(roles/ securityposture.postureDeployer
)
Autorisations permettant de lire et modifier la ressource de déploiement de stratégie.
orgpolicy.*
orgpolicy.constraints.list
orgpolicy. customConstraints. create
orgpolicy. customConstraints. delete
orgpolicy. customConstraints. get
orgpolicy. customConstraints. list
orgpolicy. customConstraints. update
orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update
orgpolicy.policy.get
orgpolicy.policy.set
resourcemanager. organizations. get
securitycenter. securityhealthanalyticssettings.*
securitycenter. securityhealthanalyticssettings. calculate
securitycenter. securityhealthanalyticssettings. get
securitycenter. securityhealthanalyticssettings. update
securitycentermanagement. securityHealthAnalyticsCustomModules. create
securitycentermanagement. securityHealthAnalyticsCustomModules. delete
securitycentermanagement. securityHealthAnalyticsCustomModules. update
securityposture.operations.get
securityposture. postureDeployments.*
securityposture. postureDeployments. create
securityposture. postureDeployments. delete
securityposture. postureDeployments. get
securityposture. postureDeployments. list
securityposture. postureDeployments. update
Lecteur de la ressource de stratégie de sécurité
(roles/ securityposture.postureViewer
)
Accès en lecture seule à la ressource de stratégie.
resourcemanager. organizations. get
securityposture.operations.get
securityposture.postures.get
securityposture.postures.list
Lecteur de déploiements de stratégie de sécurité
(roles/ securityposture.postureDeploymentsViewer
)
Accès en lecture seule à la ressource de déploiement de stratégie.
resourcemanager. organizations. get
securityposture.operations.get
securityposture. postureDeployments. get
securityposture. postureDeployments. list
Valideur de stratégie de sécurité en amont
(roles/ securityposture.reportCreator
)
Permet de créer des rapports (par exemple, rapport de validation IaC).
securityposture.operations.get
securityposture.reports.*
securityposture.reports.create
securityposture.reports.get
securityposture.reports.list
Lecteur de stratégie de sécurité
(roles/ securityposture.viewer
)
Accès en lecture seule à toutes les ressources du service SecurityPosture.
resourcemanager. organizations. get
securityposture.operations.get
securityposture. postureDeployments. get
securityposture. postureDeployments. list
securityposture. postureTemplates.*
securityposture. postureTemplates. get
securityposture. postureTemplates. list
securityposture.postures.get
securityposture.postures.list
Rôles d'agent de service
Un agent de service autorise un service à accéder à vos ressources.
Une fois que vous avez activé Security Command Center, deux agents de service sont créés pour vous:
service-org-ORGANIZATION_ID @security-center-api.iam.gserviceaccount.com
.
Cet agent de service nécessite le rôle IAM roles/securitycenter.serviceAgent
.
service-org-ORGANIZATION_ID @gcp-sa-ktd-hpsa.iam.gserviceaccount.com
.
Cet agent de service nécessite le rôle IAM roles/containerthreatdetection.serviceAgent
.
Au cours du processus d'activation de Security Command Center, vous êtes invité à attribuer un ou plusieurs rôles IAM requis à chaque agent de service. L'attribution des rôles à chaque agent de service est nécessaire pour que Security Command Center fonctionne.
Pour afficher les autorisations associées à chaque rôle, consultez les ressources suivantes:
Pour attribuer ces rôles, vous devez disposer du rôle roles/resourcemanager.organizationAdmin
.
Si vous ne disposez pas du rôle roles/resourcemanager.organizationAdmin
, l'administrateur de votre organisation peut attribuer les rôles aux agents de service à votre place à l'aide de la commande gcloud CLI suivante:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member="SERVICE_AGENT_NAME " \
--role="IAM_ROLE "
Remplacez les éléments suivants :
ORGANIZATION_ID
: ID de votre organisation.
SERVICE_AGENT_NAME
: nom de l'agent de service auquel vous attribuez le rôle. Il peut s'agir de l'un des noms d'agent de service suivants :
service-org-ORGANIZATION_ID @security-center-api.iam.gserviceaccount.com
service-org-ORGANIZATION_ID @gcp-sa-ktd-hpsa.iam.gserviceaccount.com
IAM_ROLE
: le rôle requis suivant qui correspond à l'agent de service spécifié :
roles/securitycenter.serviceAgent
roles/containerthreatdetection.serviceAgent
Pour en savoir plus sur les rôles IAM, consultez la page Comprendre les rôles .
Web Security Scanner
Les rôles IAM vous expliquent comment utiliser Web Security Scanner. Les tableaux ci-dessous présentent chaque rôle IAM disponible pour Web Security Scanner, ainsi que les méthodes associées. Accordez ces rôles au niveau du projet .
Pour donner aux utilisateurs la possibilité de créer et de gérer des analyses de sécurité, ajoutez des utilisateurs à votre projet et accordez-leur des autorisations à l'aide de rôles IAM.
Web Security Scanner accepte les rôles de base et les rôles prédéfinis qui offrent un accès plus précis aux ressources de Web Security Scanner.
Rôles IAM de base
La section suivante décrit les autorisations Web Scanner accordées par les rôles de base.
Rôle
Description
Propriétaire
Accès complet à toutes les ressources Web Security Scanner
Éditeur
Accès complet à toutes les ressources Web Security Scanner
Lecteur
Aucun accès à Web Security Scanner
Rôles IAM prédéfinis
La section suivante décrit les autorisations de Web Security Scanner accordées par les rôles Web Security Scanner.
Role
Permissions
Web Security Scanner Editor
(roles/ cloudsecurityscanner.editor
)
Full access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
appengine.applications.get
cloudsecurityscanner.*
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner. results. get
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner. scanruns. stop
cloudsecurityscanner. scans. create
cloudsecurityscanner. scans. delete
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
cloudsecurityscanner.scans.run
cloudsecurityscanner. scans. update
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Web Security Scanner Runner
(roles/ cloudsecurityscanner.runner
)
Read access to Scan and ScanRun, plus the ability to start scans
Lowest-level resources where you can grant this role:
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. list
cloudsecurityscanner. scanruns. stop
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
cloudsecurityscanner.scans.run
Web Security Scanner Viewer
(roles/ cloudsecurityscanner.viewer
)
Read access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
cloudsecurityscanner. crawledurls. list
cloudsecurityscanner.results.*
cloudsecurityscanner. results. get
cloudsecurityscanner. results. list
cloudsecurityscanner. scanruns. get
cloudsecurityscanner. scanruns. getSummary
cloudsecurityscanner. scanruns. list
cloudsecurityscanner.scans.get
cloudsecurityscanner. scans. list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Pour en savoir plus sur les rôles IAM, consultez la page Comprendre les rôles .