Access control

This page describes how Security Command Center uses Identity and Access Management (IAM) to control access to resources at different levels of your resource hierarchy.

Security Command Center uses IAM roles to let you control who can do what with assets, findings, and security sources in your Security Command Center environment. You grant roles to individuals and applications, and each role provides specific permissions.

Security Command Center Premium supports granting IAM roles at the organization, folder, and project levels. Security Command Center Standard only supports granting roles at the organization level.

Permissions

To set up Security Command Center or change the configuration of your organization, you need both of the following roles at the organization level:

  • Organization Admin (roles/resourcemanager.organizationAdmin)
  • Security Center Admin (roles/securitycenter.admin)

If a user doesn't require edit permissions, consider granting them viewer roles. To view all assets, findings, and settings in Security Command Center, users need the Security Center Admin Viewer (roles/securitycenter.adminViewer) role at the organization level.

To restrict access to individual folders and projects, don't grant all roles at the organization level. Instead, grant the following roles at the folder or project level:

  • Security Center Assets Viewer (roles/securitycenter.assetsViewer)
  • Security Center Findings Viewer (roles/securitycenter.findingsViewer)

Organization-level roles

When IAM roles are applied at the organization level, projects and folders under an organization inherit its roles and permissions.

The following figure illustrates a typical Security Command Center resource hierarchy with roles granted at the organization level.

Security Command Center resource hierarchy and permission structure
Security Command Center resource hierarchy and organization-level roles (click to enlarge)

IAM roles include permissions to view, edit, update, create, or delete resources. Roles granted at the organization level in Security Command Center let you perform prescribed actions on findings, assets, and security sources throughout your organization. For example, a user granted the Security Center Findings Editor role (roles/securitycenter.findingsEditor) can view or edit findings attached to any resource in any project or folder in your organization. With this structure, you don't have to grant users roles in each folder or project.

For instructions on managing roles and permissions, see Manage access to projects, folders, and organizations.

Organization-level roles are not suitable for all use cases, particularly for sensitive applications or compliance standards that require strict access controls. To create fine-grained access policies, Security Command Center Premium lets you grant roles at the folder and project levels.

Folder and project roles

Security Command Center Premium lets you grant Security Command Center IAM roles for specific folders and projects, creating multiple views, or silos, within your organization. You grant users and groups different access and edit permissions to folders and projects across your organization.

The following video describes Security Command Center Premium's support for folder- and project-level roles and how to manage them in the dashboard.

With folder and project roles, users with Security Command Center roles have the ability to manage assets and findings within designated projects or folders. For example, a security engineer can be given limited access to select folders and projects while a security administrator can manage all resources at the organization level.

Folder and project roles allow Security Command Center permissions to be applied at lower levels of your organization's resource hierarchy, but do not change the hierarchy. The following figure illustrates a user with Security Command Center permissions to access findings in a specific project.

Security Command Center resource hierarchy and permission structure
Security Command Center resource hierarchy and project-level roles - dashed items are inaccessible (click to enlarge)

Users with folder and project roles see a subset of an organization's resources. Any actions they take are limited to the same scope. For example, if a user has permissions for a folder, they can access resources in any project in the folder. Permissions for a project gives users access to resources in that project.

For instructions on managing roles and permissions, see Manage access to projects, folders, and organizations.

Role restrictions

By granting Security Command Center roles at the folder or project level, Security Command Center Premium administrators can do the following:

  • Limit Security Command Center view or edit permissions to specific folders and projects
  • Grant view and edit permissions for groups of assets or findings to specific users or teams
  • Restrict the ability to view or edit finding details, including updates to security marks and finding state, to individuals or groups with access to the underlying finding
  • Control access to Security Command Center settings, which can only be viewed by individuals with organization-level roles

Security Command Center functions

Security Command Center Premium functions are also restricted based on view and edit permissions.

The Security Command Center dashboard lets individuals without organization-level permissions choose resources to which they have access. Their selection updates all elements of the user interface, including assets, findings, and settings controls. Users see the privileges attached to their roles and whether they can access or edit findings at their current scope.

The Security Command Center API and gcloud command-line tool also restrict functions to prescribed folders and projects. If calls to list or group assets and findings are made by users granted folder or project roles, only findings or assets at those scopes are returned.

Calls to create or update findings and finding notifications only support the organization scope. You need organization-level roles to perform these tasks.

Parent resources for findings

Usually, a finding is attached to a resource, like a virtual machine (VM) or firewall. Security Command Center attaches findings to the most immediate container for the resource that generated the finding. For example, if a VM generates a finding, the finding is attached to the project that contains the VM. Findings that are not connected to a Google Cloud resource are attached to the organization and are visible to anyone with organization-level Security Command Center permissions.

IAM roles in Security Command Center

The following is a list of IAM roles available for Security Command Center and the permissions included in them. Security Command Center Premium supports granting these roles at the organization, folder, or project level. Security Command Center Standard only supports granting IAM roles at the organization level.

Role Permissions

Security Center Admin
(roles/securitycenter.admin)

Admin(super user) access to security center

Lowest-level resources where you can grant this role:

  • Project
  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.folders.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • securitycenter.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Security Center Admin Editor
(roles/securitycenter.adminEditor)

Admin Read-write access to security center

Lowest-level resources where you can grant this role:

  • Project
  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.folders.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • securitycenter.assets.*
  • securitycenter.assetsecuritymarks.*
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.findings.*
  • securitycenter.findingsecuritymarks.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
  • securitycenter.subscription.*
  • securitycenter.userinterfacemetadata.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Security Center Admin Viewer
(roles/securitycenter.adminViewer)

Admin Read access to security center

Lowest-level resources where you can grant this role:

  • Project
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.results.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • resourcemanager.folders.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.subscription.*
  • securitycenter.userinterfacemetadata.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Security Center Asset Security Marks Writer
(roles/securitycenter.assetSecurityMarksWriter)

Write access to asset security marks

Lowest-level resources where you can grant this role:

  • Project
  • securitycenter.assetsecuritymarks.*
  • securitycenter.userinterfacemetadata.*

Security Center Assets Discovery Runner
(roles/securitycenter.assetsDiscoveryRunner)

Run asset discovery access to assets

Lowest-level resources where you can grant this role:

  • Organization
  • securitycenter.assets.runDiscovery
  • securitycenter.userinterfacemetadata.*

Security Center Assets Viewer
(roles/securitycenter.assetsViewer)

Read access to assets

Lowest-level resources where you can grant this role:

  • Project
  • resourcemanager.folders.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.userinterfacemetadata.*

Security Center Finding Security Marks Writer
(roles/securitycenter.findingSecurityMarksWriter)

Write access to finding security marks

Lowest-level resources where you can grant this role:

  • Project
  • securitycenter.findingsecuritymarks.*
  • securitycenter.userinterfacemetadata.*

Security Center Findings Editor
(roles/securitycenter.findingsEditor)

Read-write access to findings

Lowest-level resources where you can grant this role:

  • Project
  • resourcemanager.folders.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.findings.setState
  • securitycenter.findings.update
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.userinterfacemetadata.*

Security Center Findings State Setter
(roles/securitycenter.findingsStateSetter)

Set state access to findings

Lowest-level resources where you can grant this role:

  • Project
  • securitycenter.findings.setState
  • securitycenter.userinterfacemetadata.*

Security Center Findings Viewer
(roles/securitycenter.findingsViewer)

Read access to findings

Lowest-level resources where you can grant this role:

  • Project
  • resourcemanager.folders.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.userinterfacemetadata.*

Security Center Findings Workflow State Setter Beta
(roles/securitycenter.findingsWorkflowStateSetter)

Set workflow state access to findings

Lowest-level resources where you can grant this role:

  • Project
  • securitycenter.findings.setWorkflowState
  • securitycenter.userinterfacemetadata.*

Security Center Notification Configurations Editor
(roles/securitycenter.notificationConfigEditor)

Write access to notification configurations

Lowest-level resources where you can grant this role:

  • Organization
  • securitycenter.notificationconfig.*
  • securitycenter.userinterfacemetadata.*

Security Center Notification Configurations Viewer
(roles/securitycenter.notificationConfigViewer)

Read access to notification configurations

Lowest-level resources where you can grant this role:

  • Organization
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.userinterfacemetadata.*

Security Center Settings Admin
(roles/securitycenter.settingsAdmin)

Admin(super user) access to security center settings

Lowest-level resources where you can grant this role:

  • Project
  • securitycenter.containerthreatdetectionsettings.*
  • securitycenter.eventthreatdetectionsettings.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.*
  • securitycenter.securitycentersettings.*
  • securitycenter.securityhealthanalyticssettings.*
  • securitycenter.subscription.*
  • securitycenter.userinterfacemetadata.*
  • securitycenter.websecurityscannersettings.*

Security Center Settings Editor
(roles/securitycenter.settingsEditor)

Read-Write access to security center settings

Lowest-level resources where you can grant this role:

  • Project
  • securitycenter.containerthreatdetectionsettings.*
  • securitycenter.eventthreatdetectionsettings.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.*
  • securitycenter.securitycentersettings.*
  • securitycenter.securityhealthanalyticssettings.*
  • securitycenter.subscription.*
  • securitycenter.userinterfacemetadata.*
  • securitycenter.websecurityscannersettings.*

Security Center Settings Viewer
(roles/securitycenter.settingsViewer)

Read access to security center settings

Lowest-level resources where you can grant this role:

  • Project
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.subscription.*
  • securitycenter.userinterfacemetadata.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get

Security Center Sources Admin
(roles/securitycenter.sourcesAdmin)

Admin access to sources

Lowest-level resources where you can grant this role:

  • Organization
  • resourcemanager.organizations.get
  • securitycenter.sources.*
  • securitycenter.userinterfacemetadata.*

Security Center Sources Editor
(roles/securitycenter.sourcesEditor)

Read-write access to sources

Lowest-level resources where you can grant this role:

  • Organization
  • resourcemanager.organizations.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
  • securitycenter.userinterfacemetadata.*

Security Center Sources Viewer
(roles/securitycenter.sourcesViewer)

Read access to sources

Lowest-level resources where you can grant this role:

  • Project
  • resourcemanager.organizations.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.userinterfacemetadata.*

Role: Security Center Service Agent

When you enable Security Command Center, a service account is created for you in the format of service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com. In order to use Security Command Center, the service account must be granted the securitycenter.serviceAgent role at the organization level. This role enables the Security Command Center service account to create and update its own copy of your organization's asset inventory metadata on an ongoing basis.

You are asked to grant this role to the service account as part of Security Command Center's onboarding process. You can grant all required roles through the onboarding interface or, alternatively, use gcloud to manually grant roles. For instructions on granting roles to the service account, see Grant permissions.

The securitycenter.serviceAgent role includes the following permissions:

Role Title Description Permissions Lowest resource
roles/securitycenter.serviceAgent Security Center Service Agent Access to scan Google Cloud resources and import security scans

All of the permissions of the following roles:

  • appengine.appViewer
  • cloudasset.viewer
  • compute.viewer
  • container.viewer
  • dlpscanner.policyReader
  • dlpscanner.scanReader
  • dlp.jobsReader

Plus the following additional permissions:

  • resourcemanager.folders.list
  • resourcemanager.folders.get
  • resourcemanager.organizations.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • storage.buckets.get
  • storage.buckets.list
  • storage.buckets.getIamPolicy
Organization

To add roles/securitycenter.serviceAgent, you must have roles/resourcemanager.organizationAdmin. You can add the role to a service account by running:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="serviceAccount:service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com" \
  --role="roles/securitycenter.serviceAgent"

Replace ORGANIZATION_ID with your organization ID.

For more information about IAM roles, see understanding roles.

Web Security Scanner

IAM roles prescribe how you can use Web Security Scanner. The tables below include each IAM role available for Web Security Scanner and the methods available to them. Grant these roles at the project level. To give users the ability to create and manage security scans, you add users to your project and grant them permissions using the roles.

Web Security Scanner supports basic roles and predefined roles that give more granular access to Web Security Scanner resources.

Basic IAM roles

The following describes the Web Security Scanner permissions that are granted by basic roles.

Role Description
Owner Full access to all Web Security Scanner resources
Editor Full access to all Web Security Scanner resources
Viewer No access to Web Security Scanner

Predefined IAM roles

The following describes the Web Security Scanner permissions that are granted by Web Security Scanner roles.

Role Permissions

Web Security Scanner Editor
(roles/cloudsecurityscanner.editor)

Full access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

  • Project
  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Web Security Scanner Runner
(roles/cloudsecurityscanner.runner)

Read access to Scan and ScanRun, plus the ability to start scans

Lowest-level resources where you can grant this role:

  • Project
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run

Web Security Scanner Viewer
(roles/cloudsecurityscanner.viewer)

Read access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

  • Project
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.results.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

For more information about IAM roles, see understanding roles.