Access control with IAM

Overview

Cyber Insurance Hub uses Identity and Access Management (IAM) to manage access to model resources. To grant access to a model resource, assign one or more IAM roles to a user, group, or service account. Cyber Insurance Hub permissions are incorporated into the IAM roles.

Cyber Insurance Hub Roles

Cyber Insurance Hub provides predefined roles that grant multiple permissions to specific Cyber Insurance Hub resources.

The following table lists the predefined roles for Cyber Insurance Hub, their description, and which permissions they include. Grant these roles at the organization level.

Role Title Description Permissions
riskmanager.admin Risk Manager Admin All Cyber Insurance Hub permissions riskmanager.serviceaccount.create
riskmanager.reports.get
riskmanager.reports.list
riskmanager.reports.create
riskmanager.reports.delete
riskmanager.reports.review
riskmanager.reports.share
riskmanager.operations.get
riskmanager.operations.list
riskmanager.operations.delete
riskmanager.policies.get
riskmanager.policies.list
riskmanager.settings.get
riskmanager.settings.update
riskmanager.controlScoreBreakdowns.get
riskmanager.controlScoreBreakdowns.list
riskmanager.editor Risk Manager Editor Access to edit Cyber Insurance Hub resources (includes all permissions except for the ability to share or review a report) riskmanager.serviceaccount.create
riskmanager.reports.get
riskmanager.reports.list
riskmanager.reports.create
riskmanager.reports.delete
riskmanager.operations.get
riskmanager.operations.list
riskmanager.operations.delete
riskmanager.policies.get
riskmanager.policies.list
riskmanager.settings.get
riskmanager.settings.update
riskmanager.controlScoreBreakdowns.get
riskmanager.controlScoreBreakdowns.list
riskmanager.viewer Risk Manager Viewer Access to view Cyber Insurance Hub resources riskmanager.reports.get
riskmanager.reports.list
riskmanager.operations.get
riskmanager.operations.list
riskmanager.policies.get
riskmanager.policies.list
riskmanager.settings.get
riskmanager.controlScoreBreakdowns.get
riskmanager.controlScoreBreakdowns.list
riskmanager.reviewer Risk Manager Report Reviewer Access to review/approve Cyber Insurance Hub reports riskmanager.reports.get
riskmanager.reports.list
riskmanager.reports.review
riskmanager.operations.get
riskmanager.operations.list

Risk Manager Service Agent role

When you enroll in Cyber Insurance Hub, a service account is created for you in the format of organizations-ORGANIZATION_ID@gcp-sa-riskmanager.iam.gserviceaccount.com. This service account requires the riskmanager.serviceAgent role at the organization level. This role lets the Cyber Insurance Hub service account retrieve the data needed from other Google Cloud services to generate Cyber Insurance Hub reports.

This riskmanager.serviceAgent role is a role that includes the following permissions:

Role Title Description Permissions
roles/riskmanager.serviceAgent Risk Manager Service Agent Access to retrieve data from other Google Cloud services needed to generate Cyber Insurance Hub reports.
  • resourcemanager.organizations.get

Also, all permissions of the following roles are included:

  • cloudasset.viewer
  • securitycenter.assetsViewer
  • securitycenter.findingsViewer
  • securitycenter.settingsViewer

To add the roles/riskmanager.serviceAgent role, you must have the roles/resourcemanager.organizationAdmin role. You can add the roles/riskmanager.serviceAgent role to a service account by running the following command:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="serviceAccount:organizations-ORGANIZATION_ID@gcp-sa-riskmanager.iam.gserviceaccount.com" \
  --role="roles/riskmanager.serviceAgent"

Replace ORGANIZATION_ID with the numeric ID of your organization.

For more information about IAM roles, see Understanding roles.

Cyber Insurance Hub custom roles

In addition to predefined roles, Cyber Insurance Hub supports the ability to create customized IAM roles. You can create a custom IAM role and assign that role one or more permissions. Then, you can grant the new role to your collaborators. Use custom roles to create an access control model that maps directly to your needs, alongside the available predefined roles offered by Google.

This document does not describe how to create a custom role. For in-depth information about custom roles and step-by-step instructions for creating a custom role, see Creating and managing custom roles in the IAM documentation.