Control access to the platform using SOAR permissions

This document explains how three mechanisms—SOC roles, environments, and permission groups—work together to control user access to different parts of the platform. It also describes how these mechanisms determine who can view cases.

Assign SOC roles

You can assign different access rights to SOC roles to control the scope of responsibility for each user group in Google Security Operations. Google SecOps includes predefined SOC roles, but you can also add custom roles.

The predefined SOC roles are defined as follows:

• Tier 1: Perform basic triage on the alerts.
• Tier 2: Review high-priority security threats.
• Tier 3: Handle major incidents.
• SOC Manager: Manage the SOC team.
• CISO: Serve as the top-level manager within your organization.
• Administrator: Access the entire Google SecOps platform.

You can set one of these SOC roles as the default, and the system automatically assigns it to incoming cases. Each SOC role can also have additional SOC roles attached to it, letting users monitor all cases assigned to those roles. For example, a Tier 1 analyst can see cases assigned to their Tier 1 role and any additional roles.

After a case is created, you can reassign it from the default SOC role to a specific SOC role or an individual user—manually or with a playbook automated action. Assigning a case to a SOC role makes sure that a group of people is aware of it. When an analyst self-assigns the case, they indicate that they're handling it.

Environments and environment groups

You can define different environments and environment groups to create logical data segregation. This separation applies to most platform modules, such as cases, playbooks, ingestion, and dashboards. This process is useful for businesses and Managed Security Service Providers (MSSPs) who need to segment their operations and networks. Each environment or group can have its own unique automation processes and settings. For MSSPs with many different customers, each environment or group can represent a separate customer.

You can configure platform settings so that only analysts associated with a specific environment or group can see its cases. For example, you can configure the playbooks module for multiple environments. The system uses the default environment as the platform baseline when you've not defined or selected other environments. Platform administrators have access to all current and future environments and environment groups.

Use predefined permission groups

The Google SecOps platform includes predefined permission groups, and you can add permission groups, as needed. The predefined groups are as follows:

• Admin
• Basic
• Readers
• View Only
• Collaborators
• Managed
• Managed-Plus

Permission groups control the level of access each group has to different modules and settings in the platform. You can set permissions at a granular level.

• Top level: Enable access to the Reports module for a specific permission group.
• Mid level: Enable access only to view advanced reports.
• Granular level: Let users edit advanced reports.

Work with SOC roles, environments, and permission groups

This section uses an example of a mid-sized bank with branches in Scotland and England to show how SOC roles, environments, and permission groups work together. The goal is to let Tier 1 analysts triage incoming cases and then escalate them to Tier 2 for deeper investigation when needed.

To set up different permission groups, follow these steps:

1. On the Environments page, create two new environments named Scotland branch and England branch.
2. On the Roles page, create two new SOC roles: Tier 1 Scotland and Tier 2 England.
3. In the Tier 2 England role, add the Tier 1 Scotland role to its additional roles, and set Tier 1 as the default role.
4. On the Permissions page, create two new permission groups named Tier 1 Scotland and Tier 2 England.
5. For the Tier 1 Scotland group, disable GKE Identity Service (IDE) and playbooks but grant them full editing rights on the cases module.
6. For the Tier 2 England group, enable IDE and playbooks with full editing rights for both modules.
7. Map users to the new roles, environments, and permission groups, based on your product:
• Google SecOps SOAR only: On the User Management page, create new users and assign the required environment, SOC role, and permission group.
• Google SecOps: On the IdP Mapping page, create two Identity Providers (IdPs) groups and assign the required environment, SOC role, and permission group.
• Security Command Center Enterprise: On the IAM roles page, create two IAM roles and assign the required environment, SOC role, and permission group.

After you complete this setup, when a new case is created, Tier 1 analysts can triage the case and, if necessary, reassign it to Tier 2 for deeper investigation or modification of playbooks or actions.

SOC roles, permission groups, and environments map to different IdP groups, or user groups, depending on the product.

For more information about how to map users in the platform, see the document that applies to you:

• Google SecOps customers, see Map users in the platform.

• Google SecOps SOAR customers, see Manage users.