Access control

Cloud Identity and Access Management (Cloud IAM) roles prescribe how you can use Web Security Scanner. The tables below include each Cloud IAM role available for Web Security Scanner and the methods available to them. Grant these roles at the project level. To give users the ability to create and manage security scans, you add users to your project and grant them permissions using the roles.

Web Security Scanner supports primitive roles and predefined roles that give more granular access to Web Security Scanner resources.

Primitive Cloud IAM roles

The following describes the Web Security Scanner permissions that are granted by primitive roles.

Role Description
Owner Full access to all Web Security Scanner resources
Editor Full access to all Web Security Scanner resources
Viewer No access to Web Security Scanner

Predefined Cloud IAM roles

The following describes the Web Security Scanner permissions that are granted by Web Security Scanner roles.

Role Title Description Permissions Lowest resource
roles/
cloudsecurityscanner.editor
Web Security Scanner Editor Full access to all Cloud Security Scanner resources appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
cloudsecurityscanner.runner
Web Security Scanner Runner Read access to Scan and ScanRun, plus the ability to start scans cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run
roles/
cloudsecurityscanner.viewer
Web Security Scanner Viewer Read access to all Cloud Security Scanner resources cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

For more information about Cloud IAM roles, see understanding roles.