This document describes the algorithms that the Google Security Operations platform
uses to apply multiple control access parameters for user groups.
Permission groups
You can assign a maximum of five permission groups for each user or user group.
The users get a combination of all the permissions from
each of the permission groups.
Assigned landing page for permissions groups
Each permission group has a designated landing page that users are directed to
when they first sign-in to the Google SecOps platform. If a user
or user group is assigned to multiple permission groups, Google SecOps
selects the landing page based on the highest-ranking option in the following
hierarchy:
Cases > Case Overview
Homepage (Workdesk) > My Cases
Cases > Case Wall
Homepage (Workdesk)> Pending Actions
Dashboards
Playbooks
Reports
Search
Homepage (Workdesk) > Requests
Command Center (Incident Manager)
Legacy SIEM Search
Restrict actions
Each permission group includes a section where the administrator can select
actions that are restricted for that specific permission group. For a restricted
action to apply, it must be selected in all permission groups assigned to the
user group. That is, if a user group is mapped to multiple permission groups,
but the restricted action is only assigned in one of those groups, the
restriction is not enforced.
SOC roles
Each user can be mapped with up to five SOC
roles plus additional roles.
Playbook views per SOC roles
Each playbook customized view is assigned to a specific SOC role. If a user
is assigned to several SOC roles, then all widgets are displayed.
The exception to this is if one SOC role includes another SOC role, then in this
scenario, the parent SOC role's playbook view is displayed.
Environments
You can assign both environments and environment groups at the same time. You
can assign each user to multiple environments and environment groups, granting
them access to all cases and data within each assigned environment or environment
group.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eUsers can be assigned up to five permission groups, and they will receive a combination of all permissions from each assigned group.\u003c/p\u003e\n"],["\u003cp\u003eIf a user is in multiple permission groups, their initial landing page in Google SecOps is determined by a hierarchy, with "Cases > Case Overview" being the highest priority.\u003c/p\u003e\n"],["\u003cp\u003eRestricted actions must be selected in all permission groups assigned to a user to be enforced; otherwise, the restriction will not apply.\u003c/p\u003e\n"],["\u003cp\u003eUsers can have up to five SOC roles, and if they have multiple roles, all widgets are displayed on their playbook view unless one role is a parent to another, in which case only the parent view is displayed.\u003c/p\u003e\n"],["\u003cp\u003eUsers can be mapped to multiple environments and/or environment groups to get access to all cases and data within each.\u003c/p\u003e\n"]]],[],null,["# Map users with multiple control access parameters\n=================================================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n| **Note:** This page isn't relevant for customers who have already migrated to Google Cloud. For more information, see [Migrate to Google Cloud](/chronicle/docs/soar/admin-tasks/advanced/migrate-to-gcp).\n\nThis document describes the algorithms that the Google Security Operations platform\nuses to apply multiple control access parameters for user groups.\n\nPermission groups\n-----------------\n\nYou can assign a maximum of five permission groups for each user or user group.\nThe users get a combination of all the permissions from\neach of the permission groups.\n\n### Assigned landing page for permissions groups\n\nEach permission group has a designated landing page that users are directed to\nwhen they first sign-in to the Google SecOps platform. If a user\nor user group is assigned to multiple permission groups, Google SecOps\nselects the landing page based on the highest-ranking option in the following\nhierarchy:\n\n- Cases \\\u003e Case Overview\n- Homepage (Workdesk) \\\u003e My Cases\n- Cases \\\u003e Case Wall\n- Homepage (Workdesk)\\\u003e Pending Actions\n- Dashboards\n- Playbooks\n- Reports\n- Search\n- Homepage (Workdesk) \\\u003e Requests\n- Command Center (Incident Manager)\n- Legacy SIEM Search\n\n### Restrict actions\n\nEach permission group includes a section where the administrator can select\nactions that are restricted for that specific permission group. For a restricted\naction to apply, it must be selected in all permission groups assigned to the\nuser group. That is, if a user group is mapped to multiple permission groups,\nbut the restricted action is only assigned in one of those groups, the\nrestriction is not enforced.\n\nSOC roles\n---------\n\nEach user can be mapped with up to five SOC\nroles plus additional roles.\n\n#### Playbook views per SOC roles\n\nEach playbook customized view is assigned to a specific SOC role. If a user\nis assigned to several SOC roles, then all widgets are displayed.\nThe exception to this is if one SOC role includes another SOC role, then in this\nscenario, the parent SOC role's playbook view is displayed.\n\n### Environments\n\nYou can assign both environments and environment groups at the same time. You\ncan assign each user to multiple environments and environment groups, granting\nthem access to all cases and data within each assigned environment or environment\ngroup.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
