This document discusses access for different users to various modules in the platform,
with a special emphasis on who gets
to see the cases. Access is based on three separate mechanisms that work together to
provide or restrict access to different parts of the platform. These mechanisms are
SOC roles, environments, and permission groups.
SOC roles
Conventionally, different access rights are assigned to different SOC roles,
but within your organization, you can experiment with the permission levels,
environments, or environment groups to determine the full scope of responsibility for each
user group in the Google Security Operations platform. The Google SecOps platform
comes with predefined SOC roles but customized roles can be added.
The predefined SOC roles are defined as follows:
Tier 1: performs basic triage on the alerts
Tier 2: reviews high priority security threats
Tier 3: handles major incidents
SocManager: manages the SOC team
CISO: top level manager within your organization
Administrator: has access to the entire Google SecOps platform
One of these SOC roles is used as a default role to be automatically assigned to
incoming cases. Each SOC role also has additional SOC roles attached to it and
therefore can monitor all cases belonging to these additional roles.
So, for example, Tier 1 analysts will see cases assigned to Tier 1 SOC roles
plus their other additional roles.
After a case has been created in the platform it can then be reassigned from the
default SOC role to a specific SOC role or even to an individual user either manually
or by a playbook automated action. By assigning a case to a SOC role, you can be sure
that a group of people are aware of the case and then after an analyst assigns it to themselves,
it provides an indication that they are handling it.
Environments and environment groups
You can define different environments and environment groups to create data segregation.
This ensures a logical separation between the majority of the platform modules
such as cases, playbooks, ingestion, and dashboards.
This is useful for businesses and Managed Security Service Providers (MSSPs) to segment operations and networks into different environments or environment groups, each with unique automation processes, settings, and more.
For MSSPs who have many different end customers, each environment or environment group can represent a separate customer.
You can experiment with the platform configuration settings so that only analysts
who are associated with a specific environment or environment group can see cases from that environment or environment group.
Other examples include configuring the playbooks module for several environments or environment groups.
The default environment is the baseline of the platform and is used when no
other environments have been defined or selected. In addition, platform admins
have access to all environments and environment groups, including future environments and environment groups added to the platform.
Permission groups
The Google SecOps platform includes predefined permission groups, and you can add permission groups, as needed. The predefined groups are:
Admin
Basic
Readers
View Only
Collaborators
Managed
Managed-Plus
The permission groups decide the level of access each group has to different
modules and settings in the platform. The settings are on a granular level.
For example, on the top level you can enable access to the reports module for
a particular permission group. On the next level down, you can enable access just to
view the advanced reports. On the bottom level, you can let users
edit the advanced reports.
How SOC roles, environments, and permission groups work together
This section demonstrates the relationship of these features by focusing on an
example of a mid-sized bank with a geographical location in Scotland
and one in England.
You want the Tier 1 SOC role to triage incoming cases but
escalate to Tier 2 if deeper investigation is required. You can set this up with the following procedure.
Set up different permission groups with the following steps:
In the Environments page, create two new environments and call
them Scotland branch and England branch.
In the Roles page, create two new SOC roles, Tier 1 Scotland
and Tier 2 England.
In the Tier 2 England role, make sure to add Tier 1 Scotland role to their
additional roles. Define Tier 1 as the default role.
In the Permissions page, create two new permission groups and call
them Tier 1 Scotland and Tier 2 England.
For the Tier 1 permissions group, make sure to disable IDE and playbooks
but allow them full editing rights on the cases module.
For the Tier 2 permissions group, make sure to enable the IDE and playbooks with
full editing rights for both modules.
For Google SecOps SOAR only platform users, create new users in the User Management
page and make sure to select the required environment, SOC role, and permission group
that you created earlier.
For Google SecOps platform users, create two new IdP groups
in the IdP Mapping page and make sure to select the environment, SOC role,
and permission group that you created earlier.
For Security Command Center Enterprise, create two new IAM roles in the IAM roles
page and make sure to select the environment, SOC role, and permission group that you created earlier.
Now, when a case is created on the platform. Tier 1 will be able to triage it
and if necessary, reassign it to Tier 2 if it requires deeper investigation or
modification of playbooks or actions.
The SOC roles, permission groups, and environments are mapped onto different IdP groups,
or user groups, depending on which product you have bought.
For more information on mapping users in the platform:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eAccess to the platform is controlled through a combination of SOC roles, environments, and permission groups, enabling customized user access to different modules and settings.\u003c/p\u003e\n"],["\u003cp\u003eSOC roles define the responsibilities of users, with predefined tiers like Tier 1, Tier 2, Tier 3, SocManager, CISO, and Administrator, allowing for the creation of custom roles as well.\u003c/p\u003e\n"],["\u003cp\u003eEnvironments and environment groups create data segregation, allowing businesses or MSSPs to isolate data and operations, for example, to represent different customers, branches, or departments.\u003c/p\u003e\n"],["\u003cp\u003ePermission groups dictate granular access levels to platform modules and settings, with options to control viewing, editing, or other specific actions.\u003c/p\u003e\n"],["\u003cp\u003eThe three access control systems can work together to define user access, demonstrated by an example of a banking setup where different branches and user roles can be assigned specific permissions and access.\u003c/p\u003e\n"]]],[],null,["Control access to platform with SOC roles, environments, and groups \nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc)\n**Note:** For customers have already migrated to Google Cloud the **Permission Groups** is replaced with IAM permissions. For more information, see [Migrate to Google Cloud](/chronicle/docs/soar/admin-tasks/advanced/migrate-to-gcp). \n\nThis document discusses access for different users to various modules in the platform,\nwith a special emphasis on who gets\nto see the cases. Access is based on three separate mechanisms that work together to\nprovide or restrict access to different parts of the platform. These mechanisms are\nSOC roles, environments, and permission groups.\n\nSOC roles\n\n\nConventionally, different access rights are assigned to different SOC roles,\nbut within your organization, you can experiment with the permission levels,\nenvironments, or environment groups to determine the full scope of responsibility for each\nuser group in the Google Security Operations platform. The Google SecOps platform\ncomes with predefined SOC roles but customized roles can be added.\nThe predefined SOC roles are defined as follows:\n\n- Tier 1: performs basic triage on the alerts\n- Tier 2: reviews high priority security threats\n- Tier 3: handles major incidents\n- SocManager: manages the SOC team\n- CISO: top level manager within your organization\n- Administrator: has access to the entire Google SecOps platform\n\n\nOne of these SOC roles is used as a default role to be automatically assigned to\nincoming cases. Each SOC role also has additional SOC roles attached to it and\ntherefore can monitor all cases belonging to these additional roles.\nSo, for example, Tier 1 analysts will see cases assigned to Tier 1 SOC roles\nplus their other additional roles.\n\n\nAfter a case has been created in the platform it can then be reassigned from the\ndefault SOC role to a specific SOC role or even to an individual user either manually\nor by a playbook automated action. By assigning a case to a SOC role, you can be sure\nthat a group of people are aware of the case and then after an analyst assigns it to themselves,\nit provides an indication that they are handling it.\n\nEnvironments and environment groups\n\n\nYou can define different environments and environment groups to create data segregation.\nThis ensures a logical separation between the majority of the platform modules\nsuch as cases, playbooks, ingestion, and dashboards.\nThis is useful for businesses and Managed Security Service Providers (MSSPs) to segment operations and networks into different environments or environment groups, each with unique automation processes, settings, and more.\nFor MSSPs who have many different end customers, each environment or environment group can represent a separate customer.\n\n\nYou can experiment with the platform configuration settings so that only analysts\nwho are associated with a specific environment or environment group can see cases from that environment or environment group.\nOther examples include configuring the playbooks module for several environments or environment groups.\nThe default environment is the baseline of the platform and is used when no\nother environments have been defined or selected. In addition, platform admins\nhave access to all environments and environment groups, including future environments and environment groups added to the platform.\n| **Note:** Installed integrations share code across all platform environments. Granting access to the integrated development environment (IDE) module lets you create and execute custom code across all platform environments, irrespective of your specific environment access.\n\nPermission groups\n\n\nThe Google SecOps platform includes predefined permission groups, and you can add permission groups, as needed. The predefined groups are:\n\n- Admin\n- Basic\n- Readers\n- View Only\n- Collaborators\n- Managed\n- Managed-Plus\n\n\nThe permission groups decide the level of access each group has to different\nmodules and settings in the platform. The settings are on a granular level.\nFor example, on the top level you can enable access to the reports module for\na particular permission group. On the next level down, you can enable access just to\nview the advanced reports. On the bottom level, you can let users\nedit the advanced reports.\n\nHow SOC roles, environments, and permission groups work together\n\n\nThis section demonstrates the relationship of these features by focusing on an\nexample of a mid-sized bank with a geographical location in Scotland\nand one in England.\nYou want the Tier 1 SOC role to triage incoming cases but\nescalate to Tier 2 if deeper investigation is required. You can set this up with the following procedure.\n\n\nSet up different permission groups with the following steps:\n\n1. In the **Environments** page, create two new environments and call them `Scotland branch` and `England branch`.\n2. In the **Roles** page, create two new SOC roles, `Tier 1 Scotland` and `Tier 2 England`.\n3. In the Tier 2 England role, make sure to add Tier 1 Scotland role to their additional roles. Define Tier 1 as the default role.\n4. In the **Permissions** page, create two new permission groups and call them `Tier 1 Scotland` and `Tier 2 England`.\n5. For the Tier 1 permissions group, make sure to disable IDE and playbooks but allow them full editing rights on the cases module.\n6. For the Tier 2 permissions group, make sure to enable the IDE and playbooks with full editing rights for both modules.\n7. For Google SecOps SOAR only platform users, create new users in the **User Management** page and make sure to select the required environment, SOC role, and permission group that you created earlier.\n8. For Google SecOps platform users, create two new IdP groups in the **IdP Mapping** page and make sure to select the environment, SOC role, and permission group that you created earlier.\n9. For Security Command Center Enterprise, create two new IAM roles in the **IAM roles** page and make sure to select the environment, SOC role, and permission group that you created earlier.\n\n\nNow, when a case is created on the platform. Tier 1 will be able to triage it\nand if necessary, reassign it to Tier 2 if it requires deeper investigation or\nmodification of playbooks or actions.\n\nThe SOC roles, permission groups, and environments are mapped onto different IdP groups,\nor user groups, depending on which product you have bought.\nFor more information on mapping users in the platform:\n\nFor Google SecOps customers, refer to: [Provision, authenticate, and map users in the\nGoogle SecOps platform](/chronicle/docs/soar/admin-tasks/user-secops/map-users-in-the-secops-platform).\nFor Google SecOps SOAR customers: refer to: [Add users to the platform](/chronicle/docs/soar/admin-tasks/user-soar-only/how-do-i-add-a-new-user-to-the-platform).\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
