Control access to features in Security Operations console pages
Stay organized with collections
Save and categorize content based on your preferences.
The Security Command Center Enterprise tier includes certain features available
from Google Security Operations. You investigate and remediate vulnerabilities,
misconfigurations, and threats using both
Google Cloud console and Security Operations console
pages.
Security Command Center Enterprise users need IAM permissions to access
Security Command Center features in both the Google Cloud console and Security Operations console
pages.
Google Security Operations has a set of predefined IAM roles that let
you access
SIEM-related features
and
SOAR-related features
in Security Operations console pages. You can grant the Google Security Operations roles
at the project level.
Security Command Center has a set of predefined IAM roles that let you
access features in Security Operations console pages that are unique to the
Security Command Center Enterprise tier. These include the following:
To view Security Command Center features available in Security Operations console pages,
users need at least the Security Center Admin Viewer (roles/securitycenter.adminViewer)
role. Grant the Security Command Center roles at the organization level.
As you plan the deployment, review the following to identify which users need
access to features:
To grant user access to features and findings in the Google Cloud console,
see Access control with IAM.
To grant users access to SOAR-related response features in Security Operations console pages,
see Map IAM roles in the SOAR side of the Security Operations console.
You also map the SOAR-related IAM roles to SOC roles,
permission groups, and environments under SOAR settings.
To access features available with Security Command Center Enterprise, such as the
Posture Overview page,
grant users the required IAM roles
in the organization where Security Command Center Enterprise is activated.
The steps to grant access to features is different depending on the identity
provider configuration.
If you use Google Workspace or Cloud Identity as the identity provider,
you grant roles directly to a user or group. See
Configure a Google Cloud identity provider
for an example of how to do this.
If you use Workforce Identity Federation to connect to a third-party identity
provider (such as Okta or Azure AD), you grant roles to identities in a
workforce identity pool or to a group within the workforce identity pool.
Make sure the workforce pools include permissions to access
Security Command Center-specific features in Security Operations console pages. The following
are examples:
To grant the Security Center Admin Viewer role to all users in a workforce
identity pool, run the following command:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Enterprise [service tier](/security-command-center/docs/service-tiers)\n\nThe Security Command Center Enterprise tier includes certain features available\nfrom Google Security Operations. You investigate and remediate vulnerabilities,\nmisconfigurations, and threats using both\n[Google Cloud console and Security Operations console](/security-command-center/docs/scce-consoles-overview)\npages.\n\nSecurity Command Center Enterprise users need IAM permissions to access\nSecurity Command Center features in both the Google Cloud console and Security Operations console\npages.\n\nGoogle Security Operations has a set of predefined IAM roles that let\nyou access\n[SIEM-related features](/chronicle/docs/onboard/configure-feature-access#overview-perm-role)\nand\n[SOAR-related features](/security-command-center/docs/map-users-in-secops#grant-iam-roles-in-the-google-cloud-console)\nin Security Operations console pages. You can grant the Google Security Operations roles\nat the project level.\n\nSecurity Command Center has a set of predefined IAM roles that let you\naccess features in Security Operations console pages that are unique to the\nSecurity Command Center Enterprise tier. These include the following:\n\n- [Security Center Admin Editor Viewer (`roles/securitycenter.adminEditor`)](/iam/docs/understanding-roles#securitycenter.adminEditor)\n- [Security Center Admin Viewer (`roles/securitycenter.adminViewer`)](/iam/docs/understanding-roles#securitycenter.adminViewer)\n\nTo view Security Command Center features available in Security Operations console pages,\nusers need at least the **Security Center Admin Viewer** (`roles/securitycenter.adminViewer`)\nrole. Grant the Security Command Center roles at the organization level.\n\nAs you plan the deployment, review the following to identify which users need\naccess to features:\n\n- To grant user access to features and findings in the Google Cloud console,\n see [Access control with IAM](/security-command-center/docs/access-control).\n\n- To grant user access to SIEM-related threat detection and investigation\n features in Security Operations console pages, see\n [Configure feature access control using IAM](/chronicle/docs/onboard/configure-feature-access#overview-perm-role).\n\n- To grant users access to SOAR-related response features in Security Operations console pages,\n see [Map IAM roles in the SOAR side of the Security Operations console](/security-command-center/docs/map-users-in-secops).\n You also map the SOAR-related IAM roles to SOC roles,\n permission groups, and environments under **SOAR settings**.\n\n- To create custom IAM roles using Google SecOps\n IAM permissions, see\n [Create and assign a custom role to a group](/chronicle/docs/onboard/configure-feature-access#custom-role).\n\n- To access features available with Security Command Center Enterprise, such as the\n [Posture Overview page](/security-command-center/docs/toxic-combinations-manage#view_an_overview_of_all_toxic_combination_cases),\n grant users the [required IAM roles](/security-command-center/docs/how-to-use-security-command-center#required_permissions)\n in the organization where Security Command Center Enterprise is activated.\n\nThe steps to grant access to features is different depending on the identity\nprovider configuration.\n\n- If you use Google Workspace or Cloud Identity as the identity provider,\n you grant roles directly to a user or group. See\n [Configure a Google Cloud identity provider](/chronicle/docs/onboard/configure-cloud-authentication)\n for an example of how to do this.\n\n- If you use Workforce Identity Federation to connect to a third-party identity\n provider (such as Okta or Azure AD), you grant roles to identities in a\n workforce identity pool or to a group within the workforce identity pool.\n\n See [Configure feature access control using IAM](/chronicle/docs/onboard/configure-feature-access)\n for examples of how to grant SIEM-related features and SOAR-related features\n to a workforce identity pool.\n\n Make sure the workforce pools include permissions to access\n Security Command Center-specific features in Security Operations console pages. The following\n are examples:\n - To grant the Security Center Admin Viewer role to all users in a workforce\n identity pool, run the following command:\n\n gcloud organizations add-iam-policy-binding \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e \\\n --role roles/securitycenter.adminViewer \\\n --member \"principalSet://iam.googleapis.com/locations/global/workforcePools/\u003cvar translate=\"no\"\u003eWORKFORCE_POOL_ID\u003c/var\u003e/*\" \\\n --condition None\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: the numeric organization ID.\n - \u003cvar translate=\"no\"\u003eWORKFORCE_POOL_ID\u003c/var\u003e: the value you defined for the workforce identity pool ID.\n - To grant the Security Center Admin Viewer roles to a specific group, run the following commands:\n\n gcloud organizations add-iam-policy-binding \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e \\\n --role roles/securitycenter.adminViewer \\\n --member \"principalSet://iam.googleapis.com/locations/global/workforcePools/\u003cvar translate=\"no\"\u003eWORKFORCE_POOL_ID\u003c/var\u003e/group/\u003cvar translate=\"no\"\u003eGROUP_ID\u003c/var\u003e\" \\\n --condition None\n\n Replace \u003cvar translate=\"no\"\u003eGROUP_ID\u003c/var\u003e: a group in the mapped `google.groups` claim."]]
