Web Security Scanner roles and permissions

This page lists the IAM roles and permissions for Web Security Scanner. To search through all roles and permissions, see the role and permission index.

Web Security Scanner roles

Role Permissions

Role	Permissions
Web Security Scanner Editor (`roles/cloudsecurityscanner.editor`) Full access to all Web Security Scanner resources Lowest-level resources where you can grant this role: Project	`appengine.applications.get` `cloudsecurityscanner.*` `cloudsecurityscanner.crawledurls.list` `cloudsecurityscanner.results.get` `cloudsecurityscanner.results.list` `cloudsecurityscanner.scanruns.get` `cloudsecurityscanner.scanruns.getSummary` `cloudsecurityscanner.scanruns.list` `cloudsecurityscanner.scanruns.stop` `cloudsecurityscanner.scans.create` `cloudsecurityscanner.scans.delete` `cloudsecurityscanner.scans.get` `cloudsecurityscanner.scans.list` `cloudsecurityscanner.scans.run` `cloudsecurityscanner.scans.update` `compute.addresses.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`
Web Security Scanner Runner (`roles/cloudsecurityscanner.runner`) Read access to Scan and ScanRun, plus the ability to start scans Lowest-level resources where you can grant this role: Project	`cloudsecurityscanner.crawledurls.list` `cloudsecurityscanner.scanruns.get` `cloudsecurityscanner.scanruns.list` `cloudsecurityscanner.scanruns.stop` `cloudsecurityscanner.scans.get` `cloudsecurityscanner.scans.list` `cloudsecurityscanner.scans.run`
Web Security Scanner Viewer (`roles/cloudsecurityscanner.viewer`) Read access to all Web Security Scanner resources Lowest-level resources where you can grant this role: Project	`cloudsecurityscanner.crawledurls.list` `cloudsecurityscanner.results.*` `cloudsecurityscanner.results.get` `cloudsecurityscanner.results.list` `cloudsecurityscanner.scanruns.get` `cloudsecurityscanner.scanruns.getSummary` `cloudsecurityscanner.scanruns.list` `cloudsecurityscanner.scans.get` `cloudsecurityscanner.scans.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`
Cloud Web Security Scanner Service Agent (`roles/websecurityscanner.serviceAgent`) Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details. Warning: Do not grant service agent roles to any principals except service agents.	`appengine.applications.get` `cloudasset.assets.listResource` `compute.addresses.list` `compute.backendServices.get` `compute.forwardingRules.get` `compute.globalForwardingRules.get` `compute.sslCertificates.list` `compute.targetHttpProxies.get` `compute.targetHttpsProxies.get` `compute.urlMaps.get`

Web Security Scanner Editor

(roles/cloudsecurityscanner.editor)

Full access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

cloudsecurityscanner.*

cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.results.get
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.create
cloudsecurityscanner.scans.delete
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run
cloudsecurityscanner.scans.update

compute.addresses.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Web Security Scanner Runner

(roles/cloudsecurityscanner.runner)

Read access to Scan and ScanRun, plus the ability to start scans

Lowest-level resources where you can grant this role:

Project

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scanruns.stop

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

cloudsecurityscanner.scans.run

Web Security Scanner Viewer

(roles/cloudsecurityscanner.viewer)

Read access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

Project

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.*

cloudsecurityscanner.results.get
cloudsecurityscanner.results.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.getSummary

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Cloud Web Security Scanner Service Agent

(roles/websecurityscanner.serviceAgent)

Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details.

appengine.applications.get

cloudasset.assets.listResource

compute.addresses.list

compute.backendServices.get

compute.forwardingRules.get

compute.globalForwardingRules.get

compute.sslCertificates.list

compute.targetHttpProxies.get

compute.targetHttpsProxies.get

compute.urlMaps.get

Web Security Scanner permissions

Permission	Included in roles
`cloudsecurityscanner.crawledurls.list`	Owner (`roles/owner`) Editor (`roles/editor`) Web Security Scanner Editor (`roles/cloudsecurityscanner.editor`) Web Security Scanner Runner (`roles/cloudsecurityscanner.runner`) Web Security Scanner Viewer (`roles/cloudsecurityscanner.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`)
`cloudsecurityscanner.results.get`	Owner (`roles/owner`) Editor (`roles/editor`) Web Security Scanner Editor (`roles/cloudsecurityscanner.editor`) Web Security Scanner Viewer (`roles/cloudsecurityscanner.viewer`) Security Auditor (`roles/iam.securityAuditor`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`)
`cloudsecurityscanner.results.list`	Owner (`roles/owner`) Editor (`roles/editor`) Web Security Scanner Editor (`roles/cloudsecurityscanner.editor`) Web Security Scanner Viewer (`roles/cloudsecurityscanner.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`)
`cloudsecurityscanner.scanruns.get`	Owner (`roles/owner`) Editor (`roles/editor`) Web Security Scanner Editor (`roles/cloudsecurityscanner.editor`) Web Security Scanner Runner (`roles/cloudsecurityscanner.runner`) Web Security Scanner Viewer (`roles/cloudsecurityscanner.viewer`) Security Auditor (`roles/iam.securityAuditor`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`)
`cloudsecurityscanner.scanruns.getSummary`	Owner (`roles/owner`) Editor (`roles/editor`) Web Security Scanner Editor (`roles/cloudsecurityscanner.editor`) Web Security Scanner Viewer (`roles/cloudsecurityscanner.viewer`) Security Auditor (`roles/iam.securityAuditor`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`)
`cloudsecurityscanner.scanruns.list`	Owner (`roles/owner`) Editor (`roles/editor`) Web Security Scanner Editor (`roles/cloudsecurityscanner.editor`) Web Security Scanner Runner (`roles/cloudsecurityscanner.runner`) Web Security Scanner Viewer (`roles/cloudsecurityscanner.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`)
`cloudsecurityscanner.scanruns.stop`	Owner (`roles/owner`) Editor (`roles/editor`) Web Security Scanner Editor (`roles/cloudsecurityscanner.editor`) Web Security Scanner Runner (`roles/cloudsecurityscanner.runner`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`)
`cloudsecurityscanner.scans.create`	Owner (`roles/owner`) Editor (`roles/editor`) Web Security Scanner Editor (`roles/cloudsecurityscanner.editor`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`)
`cloudsecurityscanner.scans.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Web Security Scanner Editor (`roles/cloudsecurityscanner.editor`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`)
`cloudsecurityscanner.scans.get`	Owner (`roles/owner`) Editor (`roles/editor`) Web Security Scanner Editor (`roles/cloudsecurityscanner.editor`) Web Security Scanner Runner (`roles/cloudsecurityscanner.runner`) Web Security Scanner Viewer (`roles/cloudsecurityscanner.viewer`) Security Auditor (`roles/iam.securityAuditor`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`)
`cloudsecurityscanner.scans.list`	Owner (`roles/owner`) Editor (`roles/editor`) Web Security Scanner Editor (`roles/cloudsecurityscanner.editor`) Web Security Scanner Runner (`roles/cloudsecurityscanner.runner`) Web Security Scanner Viewer (`roles/cloudsecurityscanner.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`)
`cloudsecurityscanner.scans.run`	Owner (`roles/owner`) Editor (`roles/editor`) Web Security Scanner Editor (`roles/cloudsecurityscanner.editor`) Web Security Scanner Runner (`roles/cloudsecurityscanner.runner`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`)
`cloudsecurityscanner.scans.update`	Owner (`roles/owner`) Editor (`roles/editor`) Web Security Scanner Editor (`roles/cloudsecurityscanner.editor`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`)

Web Security Scanner roles and permissions