Access control

Cloud Identity and Access Management (Cloud IAM) roles prescribe how you can use the Security Command Center API. Below is a list of each Cloud IAM role available for Security Command Center and the methods available to them. Apply these roles at the organization level.

Role Title Description Permissions Lowest resource
roles/securitycenter.admin Security Center Admin Admin(super user) access to security center appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Organization
roles/securitycenter.adminEditor Security Center Admin Editor Admin Read-write access to security center appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.assets.*
securitycenter.assetsecuritymarks.*
securitycenter.findings.*
securitycenter.findingsecuritymarks.*
securitycenter.notificationconfig.*
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Organization
roles/securitycenter.adminViewer Security Center Admin Viewer Admin Read access to security center cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
securitycenter.sources.get
securitycenter.sources.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Organization
roles/securitycenter.assetSecurityMarksWriter Security Center Asset Security Marks Writer Write access to asset security marks securitycenter.assetsecuritymarks.*
Organization
roles/securitycenter.assetsDiscoveryRunner Security Center Assets Discovery Runner Run asset discovery access to assets securitycenter.assets.runDiscovery
Organization
roles/securitycenter.assetsViewer Security Center Assets Viewer Read access to assets resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
Organization
roles/securitycenter.findingSecurityMarksWriter Security Center Finding Security Marks Writer Write access to finding security marks securitycenter.findingsecuritymarks.*
Organization
roles/securitycenter.findingsEditor Security Center Findings Editor Read-write access to findings resourcemanager.organizations.get
securitycenter.findings.*
securitycenter.sources.get
securitycenter.sources.list
Organization
roles/securitycenter.findingsStateSetter Security Center Findings State Setter Set state access to findings securitycenter.findings.setState
Organization
roles/securitycenter.findingsViewer Security Center Findings Viewer Read access to findings resourcemanager.organizations.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
Organization
roles/securitycenter.notificationConfigEditor Security Center Notification Configurations Editor Write access to notification configurations securitycenter.notificationconfig.*
roles/securitycenter.notificationConfigViewer Security Center Notification Configurations Viewer Read access to notification configurations securitycenter.notificationconfig.get
securitycenter.notificationconfig.list
roles/securitycenter.sourcesAdmin Security Center Sources Admin Admin access to sources resourcemanager.organizations.get
securitycenter.sources.*
Organization
roles/securitycenter.sourcesEditor Security Center Sources Editor Read-write access to sources resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
Organization
roles/securitycenter.sourcesViewer Security Center Sources Viewer Read access to sources resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
Organization

Role: Security Center Service Agent

When you enable Security Command Center, a service account is created for you in the format of service-org-organization-id@security-center-api.iam.gserviceaccount.com. This service account is automatically granted the securitycenter.serviceAgent role at the organization level. This role enables the Security Command Center service account to create and update its own copy of your organization's asset inventory metadata on an ongoing basis.

This securitycenter.serviceAgent role is an internal role that includes the following permissions:

Role Title Description Permissions Lowest resource
roles/securitycenter.serviceAgent Security Center Service Agent Access to scan Google Cloud resources and import security scans

All of the permissions of the following roles:

  • appengine.appViewer
  • cloudasset.viewer
  • compute.viewer
  • container.viewer
  • dlpscanner.policyReader
  • dlpscanner.scanReader
  • dlp.jobsReader

Plus the following additional permissions:

  • resourcemanager.folders.list
  • resourcemanager.folders.get
  • resourcemanager.organizations.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • storage.buckets.get
  • storage.buckets.list
  • storage.buckets.getIamPolicy
Organization

To add roles/securitycenter.serviceAgent, you must have roles/resourcemanager.organizationAdmin. You can add the role to a service account by running:

gcloud beta organizations add-iam-policy-binding organization-id \
  --member="serviceAccount:service-org-organization-id@security-center-api.iam.gserviceaccount.com" \
  --role="roles/securitycenter.serviceAgent"

For more information about Cloud IAM roles, see understanding roles.