>

Access control

Cloud Identity and Access Management (Cloud IAM) roles prescribe how you can use the Cloud Security Command Center (Cloud SCC) API. Below is a list of each Cloud IAM role available for Cloud SCC and the methods available to them. Apply these roles at the organization level.

Security Center Roles

Role Title Description Permissions Lowest Resource
roles/
securitycenter.admin
Security Center Admin Beta Admin(super user) access to security center resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.assets.runDiscovery
securitycenter.assetsecuritymarks.*
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.update
securitycenter.findingsecuritymarks.*
securitycenter.organizationsettings.*
securitycenter.sources.*
Organization
roles/
securitycenter.adminEditor
Security Center Admin Editor Beta Admin Read-write access to security center resourcemanager.organizations.get
securitycenter.assets.runDiscovery
securitycenter.assetsecuritymarks.*
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.update
securitycenter.findingsecuritymarks.*
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
Organization
roles/
securitycenter.adminViewer
Security Center Admin Viewer Beta Admin Read access to security center resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
Organization
roles/
securitycenter.assetSecurityMarksWriter
Security Center Asset Security Marks Writer Beta Write access to asset security marks securitycenter.assetsecuritymarks.*
Organization
roles/
securitycenter.assetsDiscoveryRunner
Security Center Assets Discovery Runner Beta Run asset discovery access to assets securitycenter.assets.runDiscovery
Organization
roles/
securitycenter.assetsViewer
Security Center Assets Viewer Beta Read access to assets resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
Organization
roles/
securitycenter.editor
Security Center Editor Beta Read-write access to assets, configs, notification streams, and marks, readonly access to scans resourcemanager.organizations.get
securitycenter.assets.get
securitycenter.assets.getFieldNames
securitycenter.assets.list
securitycenter.assets.triggerDiscovery
securitycenter.assets.update
securitycenter.configs.get
securitycenter.configs.getIamPolicy
securitycenter.configs.update
securitycenter.scans.*
Organization
roles/
securitycenter.findingSecurityMarksWriter
Security Center Finding Security Marks Writer Beta Write access to finding security marks securitycenter.findingsecuritymarks.*
Organization
roles/
securitycenter.findingsEditor
Security Center Findings Editor Beta Read-write access to findings resourcemanager.organizations.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.update
securitycenter.sources.get
securitycenter.sources.list
Organization
roles/
securitycenter.findingsStateSetter
Security Center Findings State Setter Beta Set state access to findings securitycenter.findings.setState
Organization
roles/
securitycenter.findingsViewer
Security Center Findings Viewer Beta Read access to findings resourcemanager.organizations.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
Organization
roles/
securitycenter.sourcesAdmin
Security Center Sources Admin Beta Admin access to sources resourcemanager.organizations.get
securitycenter.sources.*
Organization
roles/
securitycenter.sourcesEditor
Security Center Sources Editor Beta Read-write access to sources resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
Organization
roles/
securitycenter.sourcesViewer
Security Center Sources Viewer Beta Read access to sources resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
Organization
roles/
securitycenter.viewer
Security Center Viewer Beta Read access to assets, configs, notification streams, scans, and marks resourcemanager.organizations.get
securitycenter.assets.get
securitycenter.assets.getFieldNames
securitycenter.assets.list
securitycenter.configs.get
securitycenter.configs.getIamPolicy
securitycenter.scans.*
Organization

Role: Security Center Service Agent

When you enable Cloud SCC, a service account is created for you. That service account is automatically granted the securitycenter.serviceAgent role. This role enables Cloud SCC to create and update its own copy of your organization's asset inventory metadata on an ongoing basis. This is an internal role that includes the following permissions:

Role Title Description Methods Allowed
securitycenter.serviceAgent Access to scan Google Cloud Platform (GCP) resources and import security scans Security Center Service Agent

All of the permissions of the following roles:

  • appengine.appViewer
  • cloudasset.viewer
  • compute.viewer
  • container.viewer
  • dlpscanner.policyReader
  • dlpscanner.scanReader
  • dlp.jobsReader

Plus the following additional permissions:

  • resourcemanager.folders.list
  • resourcemanager.folders.get
  • resourcemanager.organizations.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • storage.buckets.get
  • storage.buckets.list
  • storage.buckets.getIamPolicy

For more information about Cloud IAM roles, see understanding roles.

¿Te sirvió esta página? Envíanos tu opinión:

Enviar comentarios sobre…

Cloud Security Command Center
¿Necesitas ayuda? Visita nuestra página de asistencia.