Access control

Security Command Center

Cloud Identity and Access Management (Cloud IAM) roles prescribe how you can use the Security Command Center API. Following is a list of each Cloud IAM role available for Security Command Center and the methods available to them. Apply these roles at the organization level.

Role	Título	Descripción	Permisos	Recurso más bajo
`roles/securitycenter.admin`	Administrador del centro de seguridad	Acceso de administrador (superusuario) al centro de seguridad	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Organización
`roles/securitycenter.adminEditor`	Editor administrador del centro de seguridad	Acceso de lectura y escritura de administrador al centro de seguridad	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.* securitycenter.findings.* securitycenter.findingsecuritymarks.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Organización
`roles/securitycenter.adminViewer`	Visualizador administrador del centro de seguridad	Acceso de lectura de administrador al centro de seguridad	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list resourcemanager.organizations.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.organizationsettings.get securitycenter.sources.get securitycenter.sources.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Organización
`roles/securitycenter.assetSecurityMarksWriter`	Escritor de marcas de seguridad de activos del centro de seguridad	Acceso de escritura a marcas de seguridad de activos	securitycenter.assetsecuritymarks.*	Organización
`roles/securitycenter.assetsDiscoveryRunner`	Ejecutor de detección de activos del centro de seguridad	Acceso para ejecutar la detección de activos	securitycenter.assets.runDiscovery	Organización
`roles/securitycenter.assetsViewer`	Visualizador de activos del centro de seguridad	Acceso de lectura a los activos	resourcemanager.organizations.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames	Organización
`roles/securitycenter.findingSecurityMarksWriter`	Escritor de marcas de seguridad de hallazgos del centro de seguridad	Acceso de escritura a marcas de seguridad de hallazgos	securitycenter.findingsecuritymarks.*	Organización
`roles/securitycenter.findingsEditor`	Editor de hallazgos del centro de seguridad	Acceso de lectura y escritura a los hallazgos	resourcemanager.organizations.get securitycenter.findings.* securitycenter.sources.get securitycenter.sources.list	Organización
`roles/securitycenter.findingsStateSetter`	Definidor de estado de hallazgos del centro de seguridad	Acceso para definir el estado de los hallazgos	securitycenter.findings.setState	Organización
`roles/securitycenter.findingsViewer`	Visualizador de hallazgos del centro de seguridad	Acceso de lectura a los hallazgos	resourcemanager.organizations.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.sources.get securitycenter.sources.list	Organización
`roles/securitycenter.notificationConfigEditor`	Editor de configuraciones de notificación del centro de seguridad	Acceso de escritura a las configuraciones de notificación	securitycenter.notificationconfig.*
`roles/securitycenter.notificationConfigViewer`	Visualizador de configuraciones de notificación del centro de seguridad	Acceso de lectura a las configuraciones de notificación	securitycenter.notificationconfig.get securitycenter.notificationconfig.list
`roles/securitycenter.sourcesAdmin`	Administrador de fuentes del centro de seguridad	Acceso de administrador a las fuentes	resourcemanager.organizations.get securitycenter.sources.*	Organización
`roles/securitycenter.sourcesEditor`	Editor de fuentes del centro de seguridad	Acceso de lectura y escritura a las fuentes	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update	Organización
`roles/securitycenter.sourcesViewer`	Visualizador de fuentes del centro de seguridad	Acceso de lectura a las fuentes	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list	Organización

Role: Security Center Service Agent

When you enable Security Command Center, a service account is created for you in the format of service-org-organization-id@security-center-api.iam.gserviceaccount.com. This service account is automatically granted the securitycenter.serviceAgent role at the organization level. This role enables the Security Command Center service account to create and update its own copy of your organization's asset inventory metadata on an ongoing basis.

This securitycenter.serviceAgent role is an internal role that includes the following permissions:

Role Title Description Permissions Lowest resource

Role	Title	Description	Permissions	Lowest resource
`roles/securitycenter.serviceAgent`	Security Center Service Agent	Access to scan Google Cloud resources and import security scans	All of the permissions of the following roles: `appengine.appViewer` `cloudasset.viewer` `compute.viewer` `container.viewer` `dlpscanner.policyReader` `dlpscanner.scanReader` `dlp.jobsReader` Plus the following additional permissions: `resourcemanager.folders.list` `resourcemanager.folders.get` `resourcemanager.organizations.list` `resourcemanager.organizations.get` `resourcemanager.projects.list` `resourcemanager.projects.get` `resourcemanager.projects.getIamPolicy` `storage.buckets.get` `storage.buckets.list` `storage.buckets.getIamPolicy`	Organization

roles/securitycenter.serviceAgent

Security Center Service Agent

Access to scan Google Cloud resources and import security scans

All of the permissions of the following roles:

appengine.appViewer
cloudasset.viewer
compute.viewer
container.viewer
dlpscanner.policyReader
dlpscanner.scanReader
dlp.jobsReader

Plus the following additional permissions:

resourcemanager.folders.list
resourcemanager.folders.get
resourcemanager.organizations.list
resourcemanager.organizations.get
resourcemanager.projects.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
storage.buckets.get
storage.buckets.list
storage.buckets.getIamPolicy

Organization

To add roles/securitycenter.serviceAgent, you must have roles/resourcemanager.organizationAdmin. You can add the role to a service account by running:

gcloud organizations add-iam-policy-binding organization-id \
  --member="serviceAccount:service-org-organization-id@security-center-api.iam.gserviceaccount.com" \
  --role="roles/securitycenter.serviceAgent"

For more information about Cloud IAM roles, see understanding roles.

Event Threat Detection

Cloud Identity and Access Management (Cloud IAM) roles prescribe how you can use the Event Threat Detection API. Below is a list of each Cloud IAM role available for Event Threat Detection and the methods available to them. Apply these roles at the organization level.

Role	Título	Descripción	Permisos	Recurso más bajo
`roles/threatdetection.editor`	Editor de la configuración de la detección de amenazas^Beta	Acceso de lectura y escritura a toda la configuración de detección de amenazas	threatdetection.*	Organización
`roles/threatdetection.viewer`	Visualizador de la configuración de la detección de amenazas^Beta	Acceso de lectura a toda la configuración de detección de amenazas	threatdetection.detectorSettings.get threatdetection.sinkSettings.get threatdetection.sourceSettings.get	Organización

Web Security Scanner

Cloud Identity and Access Management (Cloud IAM) roles prescribe how you can use Web Security Scanner. The tables below include each Cloud IAM role available for Web Security Scanner and the methods available to them. Grant these roles at the project level. To give users the ability to create and manage security scans, you add users to your project and grant them permissions using the roles.

Web Security Scanner supports primitive roles and predefined roles that give more granular access to Web Security Scanner resources.

Primitive Cloud IAM roles

The following describes the Web Security Scanner permissions that are granted by primitive roles.

Role	Description
Owner	Full access to all Web Security Scanner resources
Editor	Full access to all Web Security Scanner resources
Viewer	No access to Web Security Scanner

Predefined Cloud IAM roles

The following describes the Web Security Scanner permissions that are granted by Web Security Scanner roles.

Función	Título	Descripción	Permisos	Recurso más bajo
`roles/cloudsecurityscanner.editor`	Editor de Web Security Scanner	Acceso completo a todos los recursos de Web Security Scanner	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Proyecto
`roles/cloudsecurityscanner.runner`	Ejecutor de Web Security Scanner	Tiene acceso de lectura a Scan y ScanRun y puede iniciar análisis.	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.list cloudsecurityscanner.scanruns.stop cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list cloudsecurityscanner.scans.run	Proyecto
`roles/cloudsecurityscanner.viewer`	Visualizador de Web Security Scanner	Acceso de lectura a todos los recursos de Web Security Scanner	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Proyecto

For more information about Cloud IAM roles, see understanding roles.