>

Access control

Cloud Identity and Access Management (Cloud IAM) roles prescribe how you can use the Cloud Security Command Center (Cloud SCC) API. Below is a list of each Cloud IAM role available for Cloud SCC and the methods available to them. Apply these roles at the organization level.

Security Center roles

Role Title Description Permissions Lowest Resource
roles/
securitycenter.admin
Security Center Admin Admin(super user) access to security center resourcemanager.organizations.get
securitycenter.*
Organization
roles/
securitycenter.adminEditor
Security Center Admin Editor Admin Read-write access to security center resourcemanager.organizations.get
securitycenter.assets.*
securitycenter.assetsecuritymarks.*
securitycenter.findings.*
securitycenter.findingsecuritymarks.*
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
Organization
roles/
securitycenter.adminViewer
Security Center Admin Viewer Admin Read access to security center resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
Organization
roles/
securitycenter.assetSecurityMarksWriter
Security Center Asset Security Marks Writer Write access to asset security marks securitycenter.assetsecuritymarks.*
Organization
roles/
securitycenter.assetsDiscoveryRunner
Security Center Assets Discovery Runner Run asset discovery access to assets securitycenter.assets.runDiscovery
Organization
roles/
securitycenter.assetsViewer
Security Center Assets Viewer Read access to assets resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
Organization
roles/
securitycenter.findingSecurityMarksWriter
Security Center Finding Security Marks Writer Write access to finding security marks securitycenter.findingsecuritymarks.*
Organization
roles/
securitycenter.findingsEditor
Security Center Findings Editor Read-write access to findings resourcemanager.organizations.get
securitycenter.findings.*
securitycenter.sources.get
securitycenter.sources.list
Organization
roles/
securitycenter.findingsStateSetter
Security Center Findings State Setter Set state access to findings securitycenter.findings.setState
Organization
roles/
securitycenter.findingsViewer
Security Center Findings Viewer Read access to findings resourcemanager.organizations.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
Organization
roles/
securitycenter.sourcesAdmin
Security Center Sources Admin Admin access to sources resourcemanager.organizations.get
securitycenter.sources.*
Organization
roles/
securitycenter.sourcesEditor
Security Center Sources Editor Read-write access to sources resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
Organization
roles/
securitycenter.sourcesViewer
Security Center Sources Viewer Read access to sources resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
Organization

Role: Security Center Service Agent

When you enable Cloud SCC, a service account is created for you in the format of service-org-organization-id@security-center-api.iam.gserviceaccount.com. That service account is automatically granted the securitycenter.serviceAgent role. This role enables Cloud SCC to create and update its own copy of your organization's asset inventory metadata on an ongoing basis. This is an internal role that includes the following permissions:

Role Title Description Methods Allowed
securitycenter.serviceAgent Access to scan Google Cloud Platform (GCP) resources and import security scans Security Center Service Agent

All of the permissions of the following roles:

  • appengine.appViewer
  • cloudasset.viewer
  • compute.viewer
  • container.viewer
  • dlpscanner.policyReader
  • dlpscanner.scanReader
  • dlp.jobsReader

Plus the following additional permissions:

  • resourcemanager.folders.list
  • resourcemanager.folders.get
  • resourcemanager.organizations.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • storage.buckets.get
  • storage.buckets.list
  • storage.buckets.getIamPolicy

To add roles/securitycenter.serviceAgent, you must have roles/resourcemanager.organizationAdmin. You can add the role to a service account by running:

gcloud beta organizations add-iam-policy-binding organization-id \
  --member="serviceAccount:service-org-organization-id@security-center-api.iam.gserviceaccount.com" \
  --role="roles/securitycenter.serviceAgent"

For more information about Cloud IAM roles, see understanding roles.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Security Command Center
Need help? Visit our support page.