Security Command Center
Identity and Access Management (IAM) roles prescribe how you can use the Security Command Center API. Following is a list of each IAM role available for Security Command Center and the methods available to them. Apply these roles at the organization level.
Role | Title | Description | Permissions | Lowest resource |
---|---|---|---|---|
roles/ |
Security Center Admin | Admin(super user) access to security center |
|
Organization |
roles/ |
Security Center Admin Editor | Admin Read-write access to security center |
|
Organization |
roles/ |
Security Center Admin Viewer | Admin Read access to security center |
|
Organization |
roles/ |
Security Center Asset Security Marks Writer | Write access to asset security marks |
|
Organization |
roles/ |
Security Center Assets Discovery Runner | Run asset discovery access to assets |
|
Organization |
roles/ |
Security Center Assets Viewer | Read access to assets |
|
Organization |
roles/ |
Security Center Finding Security Marks Writer | Write access to finding security marks |
|
Organization |
roles/ |
Security Center Findings Editor | Read-write access to findings |
|
Organization |
roles/ |
Security Center Findings State Setter | Set state access to findings |
|
Organization |
roles/ |
Security Center Findings Viewer | Read access to findings |
|
Organization |
roles/ |
Security Center Findings Workflow State Setter Beta | Set workflow state access to findings |
|
|
roles/ |
Security Center Notification Configurations Editor | Write access to notification configurations |
|
|
roles/ |
Security Center Notification Configurations Viewer | Read access to notification configurations |
|
|
roles/ |
Security Center Settings Admin | Admin(super user) access to security center settings |
|
|
roles/ |
Security Center Settings Editor | Read-Write access to security center settings |
|
|
roles/ |
Security Center Settings Viewer | Read access to security center settings |
|
|
roles/ |
Security Center Sources Admin | Admin access to sources |
|
Organization |
roles/ |
Security Center Sources Editor | Read-write access to sources |
|
Organization |
roles/ |
Security Center Sources Viewer | Read access to sources |
|
Organization |
Role: Security Center Service Agent
When you enable Security Command Center, a service account is created for you in
the format of
service-org-organization-id@security-center-api.iam.gserviceaccount.com
.
This service account is automatically granted the securitycenter.serviceAgent
role at the organization level. This role enables the Security Command Center
service account to create and update its own copy of your organization's asset
inventory metadata on an ongoing basis.
This securitycenter.serviceAgent
role is an internal role that includes the
following permissions:
Role | Title | Description | Permissions | Lowest resource |
---|---|---|---|---|
roles/securitycenter.serviceAgent |
Security Center Service Agent | Access to scan Google Cloud resources and import security scans |
All of the permissions of the following roles:
Plus the following additional permissions:
|
Organization |
To add roles/securitycenter.serviceAgent
, you must have
roles/resourcemanager.organizationAdmin
. You can add the role to a service
account by running:
gcloud organizations add-iam-policy-binding organization-id \
--member="serviceAccount:service-org-organization-id@security-center-api.iam.gserviceaccount.com" \
--role="roles/securitycenter.serviceAgent"
For more information about IAM roles, see understanding roles.
Event Threat Detection
Identity and Access Management (IAM) roles prescribe how you can use the Event Threat Detection API. Below is a list of each IAM role available for Event Threat Detection and the methods available to them. Apply these roles at the organization level.
Role | Title | Description | Permissions | Lowest resource |
---|---|---|---|---|
roles/ |
Threat Detection Settings Editor Beta | Read-write access to all Threat Detection settings |
|
Organization |
roles/ |
Threat Detection Settings Viewer Beta | Read access to all Threat Detection settings |
|
Organization |
Web Security Scanner
Identity and Access Management (IAM) roles prescribe how you can use Web Security Scanner. The tables below include each IAM role available for Web Security Scanner and the methods available to them. Grant these roles at the project level. To give users the ability to create and manage security scans, you add users to your project and grant them permissions using the roles.
Web Security Scanner supports basic roles and predefined roles that give more granular access to Web Security Scanner resources.
Basic IAM roles
The following describes the Web Security Scanner permissions that are granted by basic roles.
Role | Description |
---|---|
Owner | Full access to all Web Security Scanner resources |
Editor | Full access to all Web Security Scanner resources |
Viewer | No access to Web Security Scanner |
Predefined IAM roles
The following describes the Web Security Scanner permissions that are granted by Web Security Scanner roles.
Role | Title | Description | Permissions | Lowest resource |
---|---|---|---|---|
roles/ |
Web Security Scanner Editor | Full access to all Web Security Scanner resources |
|
Project |
roles/ |
Web Security Scanner Runner | Read access to Scan and ScanRun, plus the ability to start scans |
|
Project |
roles/ |
Web Security Scanner Viewer | Read access to all Web Security Scanner resources |
|
Project |
For more information about IAM roles, see understanding roles.