機構層級啟用功能的 IAM

本頁說明如何使用 Identity and Access Management (IAM),控管在機構層級啟用 Security Command Center 後的資源存取權。如果符合下列任一條件,本頁內容就適用於你:

  • Security Command Center 是在機構層級啟用,而非專案層級。
  • 機構層級已啟用 Security Command Center Standard。 此外,您已在一個或多個專案中啟用 Security Command Center Premium。

如果您是在專案層級啟用 Security Command Center,而非機構層級,請改為參閱「專案層級啟用適用的 IAM」。

在組織層級啟用 Security Command Center 時,您可以控管資源階層中不同層級的資源存取權。Security Command Center 會使用 IAM 角色,控管哪些人員可以在 Security Command Center 環境中,對資產、發現項目和安全性來源執行哪些操作。您可以將角色授予個人和應用程式,每個角色都提供特定權限。

權限

如要設定 Security Command Center 或變更機構的設定,您必須在機構層級同時具備下列角色:

  • 機構管理員 (roles/resourcemanager.organizationAdmin)
  • 安全中心管理員 (roles/securitycenter.admin)

如果使用者不需要編輯權限,請考慮授予檢視者角色。

如要在 Security Command Center 中查看所有資產、發現項目和攻擊路徑,使用者必須具備組織層級的安全中心管理員檢視者 (roles/securitycenter.adminViewer) 角色。

如要查看設定,使用者必須在機構層級具備安全中心管理員 (roles/securitycenter.admin) 角色。

如要限制個別資料夾和專案的存取權,請勿在機構層級授予所有角色。請改為在資料夾 專案層級授予下列角色:

  • 安全中心資產檢視者 (roles/securitycenter.assetsViewer)
  • 安全中心發現項目檢視者 (roles/securitycenter.findingsViewer)

如果您使用 Security Command Center Enterprise,請參閱「Security Command Center Enterprise 控制台」,瞭解其他必要角色。

機構層級角色

在機構層級套用 IAM 角色時,該機構下的專案和資料夾會沿用其角色繫結

下圖說明一般的 Security Command Center 資源階層,並顯示在機構層級授予的角色。

Security Command Center 資源階層和權限結構
Security Command Center 資源階層和機構層級角色 (點選即可放大)

IAM 角色包含檢視、編輯、更新、建立或刪除資源的權限。在 Security Command Center 中,於機構層級授予的角色可讓您在整個機構中,對發現項目、資產和安全性來源執行指定動作。舉例來說,如果使用者獲派「安全中心發現項目編輯者」角色 (roles/securitycenter.findingsEditor),就能查看或編輯貴機構中任何專案或資料夾內,附加至任何資源的發現項目。採用這種結構後,您不必在每個資料夾或專案中授予使用者角色。

如需管理角色和權限的操作說明,請參閱「管理專案、資料夾和機構的存取權」一文。

機構層級角色不適用於所有用途,特別是需要嚴格存取控管的敏感應用程式或法規遵循標準。如要建立精細的存取權政策,您可以在資料夾和專案層級授予角色。

資料夾層級和專案層級角色

您可以透過 Security Command Center,為特定資料夾和專案授予 Security Command Center IAM 角色,在機構內建立多個檢視畫面或資訊孤島。您可以為機構中的使用者和群組授予不同的資料夾和專案存取權及編輯權限。

以下影片說明如何授予資料夾層級和專案層級的角色,以及如何在 Security Command Center 控制台中管理這些角色。

透過資料夾和專案角色,具備 Security Command Center 角色的使用者可以管理指定專案或資料夾中的資產和發現項目。舉例來說,安全工程師可以獲得特定資料夾和專案的有限存取權,而安全管理員則可管理機構層級的所有資源。

資料夾和專案角色可讓您在機構資源階層的較低層級套用 Security Command Center 權限,但不會變更階層。下圖說明使用者如何透過 Security Command Center 權限,存取特定專案的發現項目。

Security Command Center 資源階層和權限結構
Security Command Center 資源階層和專案層級角色 - 無法存取虛線項目 (按一下即可放大)

具有資料夾和專案角色的使用者會看到機構資源的子集。 他們只能在相同範圍內執行動作。舉例來說,如果使用者擁有資料夾的權限,就能存取該資料夾中任何專案的資源。專案權限可讓使用者存取該專案中的資源。

如需管理角色和權限的操作說明,請參閱「管理專案、資料夾和機構的存取權」一文。

角色限制

在資料夾或專案層級授予 Security Command Center 角色後,Security Command Center 管理員可以執行下列操作:

  • 將 Security Command Center 的檢視或編輯權限限制在特定資料夾和專案
  • 授予特定使用者或團隊資產或調查結果的查看和編輯權限
  • 限制個人或群組查看或編輯發現項目詳細資料 (包括安全性標記和發現項目狀態的更新),但可允許存取基礎發現項目
  • 控管 Security Command Center 設定的存取權,只有具備機構層級角色的使用者才能查看

Security Command Center 功能

此外,Security Command Center 的功能也會根據檢視和編輯權限受到限制。

在 Google Cloud 控制台中,Security Command Center 可讓沒有機構層級權限的使用者,只選擇他們有權存取的資源。選取後,使用者介面的所有元素都會更新,包括資產、發現項目和設定控制項。使用者可查看角色所具備的權限,以及是否能在目前範圍存取或編輯調查結果。

Security Command Center API 和 Google Cloud CLI 也會將函式限制在指定資料夾和專案中。如果使用者獲派資料夾或專案角色,並呼叫列出或分組資產和調查結果,系統只會傳回這些範圍內的調查結果或資產。

在機構層級啟用 Security Command Center 時,建立或更新發現項目和發現項目通知的呼叫只支援機構範圍。您需要機構層級的角色才能執行這些工作。

如要查看攻擊路徑模擬產生的攻擊路徑,必須在機構層級授予適當權限,並將 Google Cloud 控制台檢視畫面設為機構。

發現項目的家長資源

通常,發現項目會附加至資源,例如虛擬機器 (VM) 或防火牆。Security Command Center 會將發現項目附加至產生發現項目的資源最直接的容器。舉例來說,如果 VM 產生了調查結果,該結果就會附加至包含 VM 的專案。未連結至 Google Cloud 資源的發現項目會附加至機構,且具備機構層級 Security Command Center 權限的使用者都能查看。

Security Command Center 角色

Security Command Center 提供下列 IAM 角色。您可以在機構、資料夾或專案層級授予這些角色。

Role Permissions

(roles/securitycenter.admin)

Admin(super user) access to security center

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.*

  • assuredoss.config.get
  • assuredoss.customers.create
  • assuredoss.locations.get
  • assuredoss.locations.list
  • assuredoss.metadata.get
  • assuredoss.metadata.list
  • assuredoss.operations.cancel
  • assuredoss.operations.delete
  • assuredoss.operations.get
  • assuredoss.operations.list

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.assets.searchEnrichmentResourceOwners

cloudasset.othercloudconnections.get

cloudasset.othercloudconnections.list

cloudasset.othercloudconnections.verify

cloudsecurityscanner.*

  • cloudsecurityscanner.crawledurls.list
  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.create
  • cloudsecurityscanner.scans.delete
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
  • cloudsecurityscanner.scans.update

compute.addresses.list

iam.serviceAccountKeys.create

iam.serviceAccounts.create

iam.serviceAccounts.get

pubsub.messageTransforms.validate

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.create

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.get

pubsub.topics.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.*

  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.assets.runDiscovery
  • securitycenter.assetsecuritymarks.update
  • securitycenter.attackpaths.list
  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update
  • securitycenter.billingtier.update
  • securitycenter.complianceReports.aggregate
  • securitycenter.compliancesnapshots.list
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.containerthreatdetectionsettings.update
  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.update
  • securitycenter.exposurepathexplan.get
  • securitycenter.findingexplanations.get
  • securitycenter.findingexternalsystems.update
  • securitycenter.findings.bulkMuteUpdate
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.findings.setMute
  • securitycenter.findings.setState
  • securitycenter.findings.setWorkflowState
  • securitycenter.findings.update
  • securitycenter.findingsecuritymarks.update
  • securitycenter.integratedvulnerabilityscannersettings.calculate
  • securitycenter.integratedvulnerabilityscannersettings.get
  • securitycenter.integratedvulnerabilityscannersettings.update
  • securitycenter.issues.get
  • securitycenter.issues.group
  • securitycenter.issues.list
  • securitycenter.issues.listFilterValues
  • securitycenter.issues.mute
  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update
  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update
  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update
  • securitycenter.rapidvulnerabilitydetectionsettings.calculate
  • securitycenter.rapidvulnerabilitydetectionsettings.get
  • securitycenter.rapidvulnerabilitydetectionsettings.update
  • securitycenter.resourcevalueconfigs.create
  • securitycenter.resourcevalueconfigs.delete
  • securitycenter.resourcevalueconfigs.get
  • securitycenter.resourcevalueconfigs.list
  • securitycenter.resourcevalueconfigs.update
  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update
  • securitycenter.securityhealthanalyticscustommodules.create
  • securitycenter.securityhealthanalyticscustommodules.delete
  • securitycenter.securityhealthanalyticscustommodules.get
  • securitycenter.securityhealthanalyticscustommodules.list
  • securitycenter.securityhealthanalyticscustommodules.simulate
  • securitycenter.securityhealthanalyticscustommodules.test
  • securitycenter.securityhealthanalyticscustommodules.update
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update
  • securitycenter.simulations.get
  • securitycenter.sources.get
  • securitycenter.sources.getIamPolicy
  • securitycenter.sources.list
  • securitycenter.sources.setIamPolicy
  • securitycenter.sources.update
  • securitycenter.subscription.get
  • securitycenter.userinterfacemetadata.get
  • securitycenter.valuedresources.list
  • securitycenter.virtualmachinethreatdetectionsettings.calculate
  • securitycenter.virtualmachinethreatdetectionsettings.get
  • securitycenter.virtualmachinethreatdetectionsettings.update
  • securitycenter.vulnerabilitysnapshots.list
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • securitycenter.websecurityscannersettings.update

securitycentermanagement.*

  • securitycentermanagement.billingMetadata.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.checkOnboardingStatus
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

serviceusage.quotas.get

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

(roles/securitycenter.adminEditor)

Admin Read-write access to security center

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.config.get

assuredoss.locations.*

  • assuredoss.locations.get
  • assuredoss.locations.list

assuredoss.metadata.*

  • assuredoss.metadata.get
  • assuredoss.metadata.list

assuredoss.operations.get

assuredoss.operations.list

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.assets.searchEnrichmentResourceOwners

cloudasset.othercloudconnections.get

cloudasset.othercloudconnections.list

cloudasset.othercloudconnections.verify

cloudsecurityscanner.*

  • cloudsecurityscanner.crawledurls.list
  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.create
  • cloudsecurityscanner.scans.delete
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
  • cloudsecurityscanner.scans.update

compute.addresses.list

pubsub.messageTransforms.validate

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.get

pubsub.topics.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.assets.*

  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.assets.runDiscovery

securitycenter.assetsecuritymarks.update

securitycenter.attackpaths.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

securitycenter.complianceReports.aggregate

securitycenter.compliancesnapshots.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.exposurepathexplan.get

securitycenter.findingexplanations.get

securitycenter.findingexternalsystems.update

securitycenter.findings.*

  • securitycenter.findings.bulkMuteUpdate
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.findings.setMute
  • securitycenter.findings.setState
  • securitycenter.findings.setWorkflowState
  • securitycenter.findings.update

securitycenter.findingsecuritymarks.update

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.issues.*

  • securitycenter.issues.get
  • securitycenter.issues.group
  • securitycenter.issues.list
  • securitycenter.issues.listFilterValues
  • securitycenter.issues.mute

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.resourcevalueconfigs.*

  • securitycenter.resourcevalueconfigs.create
  • securitycenter.resourcevalueconfigs.delete
  • securitycenter.resourcevalueconfigs.get
  • securitycenter.resourcevalueconfigs.list
  • securitycenter.resourcevalueconfigs.update

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.simulate

securitycenter.securityhealthanalyticscustommodules.test

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.simulations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.sources.update

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.valuedresources.list

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.vulnerabilitysnapshots.list

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.billingMetadata.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.checkActivationOperation

securitycentermanagement.securityCommandCenter.checkOnboardingStatus

securitycentermanagement.securityCommandCenter.generateServiceAccounts

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityCommandCenter.update

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/securitycenter.adminViewer)

Admin Read access to security center

Lowest-level resources where you can grant this role:

  • Project

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.config.get

assuredoss.locations.*

  • assuredoss.locations.get
  • assuredoss.locations.list

assuredoss.metadata.*

  • assuredoss.metadata.get
  • assuredoss.metadata.list

assuredoss.operations.get

assuredoss.operations.list

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.assets.searchEnrichmentResourceOwners

cloudasset.othercloudconnections.get

cloudasset.othercloudconnections.list

cloudasset.othercloudconnections.verify

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.*

  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.getSummary

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

pubsub.messageTransforms.validate

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.get

pubsub.topics.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.assets.group

securitycenter.assets.list

securitycenter.assets.listAssetPropertyNames

securitycenter.attackpaths.list

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

securitycenter.complianceReports.aggregate

securitycenter.compliancesnapshots.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.exposurepathexplan.get

securitycenter.findingexplanations.get

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.issues.get

securitycenter.issues.group

securitycenter.issues.list

securitycenter.issues.listFilterValues

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.resourcevalueconfigs.get

securitycenter.resourcevalueconfigs.list

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.simulate

securitycenter.securityhealthanalyticscustommodules.test

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.simulations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.valuedresources.list

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.vulnerabilitysnapshots.list

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.billingMetadata.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.checkActivationOperation

securitycentermanagement.securityCommandCenter.checkOnboardingStatus

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/securitycenter.assetSecurityMarksWriter)

Write access to asset security marks

Lowest-level resources where you can grant this role:

  • Project

securitycenter.assetsecuritymarks.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.assetsDiscoveryRunner)

Run asset discovery access to assets

Lowest-level resources where you can grant this role:

  • Organization

securitycenter.assets.runDiscovery

securitycenter.userinterfacemetadata.get

(roles/securitycenter.assetsViewer)

Read access to assets

Lowest-level resources where you can grant this role:

  • Project

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.assets.searchEnrichmentResourceOwners

cloudasset.othercloudconnections.get

cloudasset.othercloudconnections.list

cloudasset.othercloudconnections.verify

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

securitycenter.assets.group

securitycenter.assets.list

securitycenter.assets.listAssetPropertyNames

securitycenter.userinterfacemetadata.get

(roles/securitycenter.attackPathsViewer)

Read access to security center attack paths

securitycenter.attackpaths.list

securitycenter.exposurepathexplan.get

(roles/securitycenter.attackSurfaceManagementScannerServiceAgent)

Gives Mandiant Attack Surface Management the ability to scan Cloud Platform resources.

apigateway.apiconfigs.get

cloudasset.assets.listResource

dns.managedZones.list

dns.resourceRecordSets.list

resourcemanager.projects.get

(roles/securitycenter.automationServiceAgent)

Security Center automation service agent can configure GCP resources to enable security scanning.

cloudasset.feeds.*

  • cloudasset.feeds.create
  • cloudasset.feeds.delete
  • cloudasset.feeds.get
  • cloudasset.feeds.list
  • cloudasset.feeds.update

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

(roles/securitycenter.bigQueryExportsEditor)

Read-Write access to security center BigQuery Exports

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

(roles/securitycenter.bigQueryExportsViewer)

Read access to security center BigQuery Exports

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

(roles/securitycenter.complianceReportsViewer)

Read access to security center compliance reports

securitycenter.complianceReports.aggregate

(roles/securitycenter.complianceSnapshotsViewer)

Read access to security center compliance snapshots

securitycenter.complianceReports.aggregate

securitycenter.compliancesnapshots.list

(roles/securitycenter.controlServiceAgent)

Security Center Control service agent can monitor and configure GCP resources and import security findings.

accesscontextmanager.gcpUserAccessBindings.get

accesscontextmanager.gcpUserAccessBindings.list

aiplatform.dataItems.list

aiplatform.datasets.list

bigquery.datasets.get

binaryauthorization.policy.get

cloudasset.assets.analyzeIamPolicy

cloudasset.assets.analyzeMove

cloudasset.assets.analyzeOrgPolicy

cloudasset.assets.exportAccessLevel

cloudasset.assets.exportAccessPolicy

cloudasset.assets.exportAiplatformBatchPredictionJobs

cloudasset.assets.exportAiplatformCustomJobs

cloudasset.assets.exportAiplatformDataLabelingJobs

cloudasset.assets.exportAiplatformDatasets

cloudasset.assets.exportAiplatformEndpoints

cloudasset.assets.exportAiplatformHyperparameterTuningJobs

cloudasset.assets.exportAiplatformMetadataStores

cloudasset.assets.exportAiplatformModelDeploymentMonitoringJobs

cloudasset.assets.exportAiplatformModels

cloudasset.assets.exportAiplatformPipelineJobs

cloudasset.assets.exportAiplatformSpecialistPools

cloudasset.assets.exportAiplatformTrainingPipelines

cloudasset.assets.exportAllAccessPolicy

cloudasset.assets.exportAnthosConnectedCluster

cloudasset.assets.exportAnthosedgeCluster

cloudasset.assets.exportApigatewayApi

cloudasset.assets.exportApigatewayApiConfig

cloudasset.assets.exportApigatewayGateway

cloudasset.assets.exportApikeysKeys

cloudasset.assets.exportAppengineApplications

cloudasset.assets.exportAppengineServices

cloudasset.assets.exportAppengineVersions

cloudasset.assets.exportArtifactregistryDockerImages

cloudasset.assets.exportArtifactregistryRepositories

cloudasset.assets.exportAssuredWorkloadsWorkloads

cloudasset.assets.exportBeyondCorpApiGateways

cloudasset.assets.exportBeyondCorpAppConnections

cloudasset.assets.exportBeyondCorpAppConnectors

cloudasset.assets.exportBeyondCorpAppGateways

cloudasset.assets.exportBeyondCorpClientConnectorServices

cloudasset.assets.exportBeyondCorpClientGateways

cloudasset.assets.exportBigqueryDatasets

cloudasset.assets.exportBigqueryModels

cloudasset.assets.exportBigqueryTables

cloudasset.assets.exportBigtableAppProfile

cloudasset.assets.exportBigtableBackup

cloudasset.assets.exportBigtableCluster

cloudasset.assets.exportBigtableInstance

cloudasset.assets.exportBigtableTable

cloudasset.assets.exportCloudAssetFeeds

cloudasset.assets.exportCloudDeployDeliveryPipelines

cloudasset.assets.exportCloudDeployReleases

cloudasset.assets.exportCloudDeployRollouts

cloudasset.assets.exportCloudDeployTargets

cloudasset.assets.exportCloudDocumentAIEvaluation

cloudasset.assets.exportCloudDocumentAIHumanReviewConfig

cloudasset.assets.exportCloudDocumentAILabelerPool

cloudasset.assets.exportCloudDocumentAIProcessor

cloudasset.assets.exportCloudDocumentAIProcessorVersion

cloudasset.assets.exportCloudbillingBillingAccounts

cloudasset.assets.exportCloudbillingProjectBillingInfos

cloudasset.assets.exportCloudfunctionsFunctions

cloudasset.assets.exportCloudfunctionsGen2Functions

cloudasset.assets.exportCloudkmsCryptoKeyVersions

cloudasset.assets.exportCloudkmsCryptoKeys

cloudasset.assets.exportCloudkmsEkmConnections

cloudasset.assets.exportCloudkmsImportJobs

cloudasset.assets.exportCloudkmsKeyRings

cloudasset.assets.exportCloudmemcacheInstances

cloudasset.assets.exportCloudresourcemanagerFolders

cloudasset.assets.exportCloudresourcemanagerOrganizations

cloudasset.assets.exportCloudresourcemanagerProjects

cloudasset.assets.exportCloudresourcemanagerTagBindings

cloudasset.assets.exportCloudresourcemanagerTagKeys

cloudasset.assets.exportCloudresourcemanagerTagValues

cloudasset.assets.exportComposerEnvironments

cloudasset.assets.exportComputeAddress

cloudasset.assets.exportComputeAutoscalers

cloudasset.assets.exportComputeBackendBuckets

cloudasset.assets.exportComputeBackendServices

cloudasset.assets.exportComputeCommitments

cloudasset.assets.exportComputeDisks

cloudasset.assets.exportComputeExternalVpnGateways

cloudasset.assets.exportComputeFirewallPolicies

cloudasset.assets.exportComputeFirewalls

cloudasset.assets.exportComputeForwardingRules

cloudasset.assets.exportComputeGlobalAddress

cloudasset.assets.exportComputeGlobalForwardingRules

cloudasset.assets.exportComputeHealthChecks

cloudasset.assets.exportComputeHttpHealthChecks

cloudasset.assets.exportComputeHttpsHealthChecks

cloudasset.assets.exportComputeImages

cloudasset.assets.exportComputeInstanceGroupManagers

cloudasset.assets.exportComputeInstanceGroups

cloudasset.assets.exportComputeInstanceTemplates

cloudasset.assets.exportComputeInstances

cloudasset.assets.exportComputeInterconnect

cloudasset.assets.exportComputeInterconnectAttachment

cloudasset.assets.exportComputeLicenses

cloudasset.assets.exportComputeNetworkEndpointGroups

cloudasset.assets.exportComputeNetworks

cloudasset.assets.exportComputeNodeGroups

cloudasset.assets.exportComputeNodeTemplates

cloudasset.assets.exportComputePacketMirrorings

cloudasset.assets.exportComputeProjects

cloudasset.assets.exportComputeRegionAutoscaler

cloudasset.assets.exportComputeRegionBackendServices

cloudasset.assets.exportComputeRegionDisk

cloudasset.assets.exportComputeRegionInstanceGroup

cloudasset.assets.exportComputeRegionInstanceGroupManager

cloudasset.assets.exportComputeReservations

cloudasset.assets.exportComputeResourcePolicies

cloudasset.assets.exportComputeRouters

cloudasset.assets.exportComputeRoutes

cloudasset.assets.exportComputeSecurityPolicy

cloudasset.assets.exportComputeServiceAttachments

cloudasset.assets.exportComputeSnapshots

cloudasset.assets.exportComputeSslCertificates

cloudasset.assets.exportComputeSslPolicies

cloudasset.assets.exportComputeSubnetworks

cloudasset.assets.exportComputeTargetHttpProxies

cloudasset.assets.exportComputeTargetHttpsProxies

cloudasset.assets.exportComputeTargetInstances

cloudasset.assets.exportComputeTargetPools

cloudasset.assets.exportComputeTargetSslProxies

cloudasset.assets.exportComputeTargetTcpProxies

cloudasset.assets.exportComputeTargetVpnGateways

cloudasset.assets.exportComputeUrlMaps

cloudasset.assets.exportComputeVpnGateways

cloudasset.assets.exportComputeVpnTunnels

cloudasset.assets.exportConnectorsConnections

cloudasset.assets.exportConnectorsConnectorVersions

cloudasset.assets.exportConnectorsConnectors

cloudasset.assets.exportConnectorsProviders

cloudasset.assets.exportConnectorsRuntimeConfigs

cloudasset.assets.exportContainerAppsDeployment

cloudasset.assets.exportContainerAppsReplicaSets

cloudasset.assets.exportContainerBatchJobs

cloudasset.assets.exportContainerClusterrole

cloudasset.assets.exportContainerClusterrolebinding

cloudasset.assets.exportContainerClusters

cloudasset.assets.exportContainerExtensionsIngresses

cloudasset.assets.exportContainerJobs

cloudasset.assets.exportContainerNamespace

cloudasset.assets.exportContainerNetworkingIngresses

cloudasset.assets.exportContainerNetworkingNetworkPolicies

cloudasset.assets.exportContainerNode

cloudasset.assets.exportContainerNodepool

cloudasset.assets.exportContainerPod

cloudasset.assets.exportContainerReplicaSets

cloudasset.assets.exportContainerRole

cloudasset.assets.exportContainerRolebinding

cloudasset.assets.exportContainerServices

cloudasset.assets.exportContainerregistryImage

cloudasset.assets.exportDataMigrationConnectionProfiles

cloudasset.assets.exportDataMigrationMigrationJobs

cloudasset.assets.exportDataflowJobs

cloudasset.assets.exportDatafusionInstance

cloudasset.assets.exportDataplexAssets

cloudasset.assets.exportDataplexLakes

cloudasset.assets.exportDataplexTasks

cloudasset.assets.exportDataplexZones

cloudasset.assets.exportDataprocAutoscalingPolicies

cloudasset.assets.exportDataprocBatches

cloudasset.assets.exportDataprocClusters

cloudasset.assets.exportDataprocJobs

cloudasset.assets.exportDataprocSessions

cloudasset.assets.exportDataprocWorkflowTemplates

cloudasset.assets.exportDatastreamConnectionProfile

cloudasset.assets.exportDatastreamPrivateConnection

cloudasset.assets.exportDatastreamStream

cloudasset.assets.exportDialogflowAgents

cloudasset.assets.exportDialogflowConversationProfiles

cloudasset.assets.exportDialogflowKnowledgeBases

cloudasset.assets.exportDialogflowLocationSettings

cloudasset.assets.exportDlpDeidentifyTemplates

cloudasset.assets.exportDlpDlpJobs

cloudasset.assets.exportDlpInspectTemplates

cloudasset.assets.exportDlpJobTriggers

cloudasset.assets.exportDlpStoredInfoTypes

cloudasset.assets.exportDnsManagedZones

cloudasset.assets.exportDnsPolicies

cloudasset.assets.exportDomainsRegistrations

cloudasset.assets.exportEventarcTriggers

cloudasset.assets.exportFileBackups

cloudasset.assets.exportFileInstances

cloudasset.assets.exportFirebaseAppInfos

cloudasset.assets.exportFirebaseProjects

cloudasset.assets.exportFirestoreDatabases

cloudasset.assets.exportGKEHubFeatures

cloudasset.assets.exportGKEHubMemberships

cloudasset.assets.exportGameservicesGameServerClusters

cloudasset.assets.exportGameservicesGameServerConfigs

cloudasset.assets.exportGameservicesGameServerDeployments

cloudasset.assets.exportGameservicesRealms

cloudasset.assets.exportGkeBackupBackupPlans

cloudasset.assets.exportGkeBackupBackups

cloudasset.assets.exportGkeBackupRestorePlans

cloudasset.assets.exportGkeBackupRestores

cloudasset.assets.exportGkeBackupVolumeBackups

cloudasset.assets.exportGkeBackupVolumeRestores

cloudasset.assets.exportHealthcareConsentStores

cloudasset.assets.exportHealthcareDatasets

cloudasset.assets.exportHealthcareDicomStores

cloudasset.assets.exportHealthcareFhirStores

cloudasset.assets.exportHealthcareHl7V2Stores

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportIamRoles

cloudasset.assets.exportIamServiceAccountKeys

cloudasset.assets.exportIamServiceAccounts

cloudasset.assets.exportIapTunnel

cloudasset.assets.exportIapTunnelInstances

cloudasset.assets.exportIapTunnelZones

cloudasset.assets.exportIapWeb

cloudasset.assets.exportIapWebServiceVersion

cloudasset.assets.exportIapWebServices

cloudasset.assets.exportIapWebType

cloudasset.assets.exportIdsEndpoints

cloudasset.assets.exportIntegrationsAuthConfigs

cloudasset.assets.exportIntegrationsCertificates

cloudasset.assets.exportIntegrationsExecutions

cloudasset.assets.exportIntegrationsIntegrationVersions

cloudasset.assets.exportIntegrationsIntegrations

cloudasset.assets.exportIntegrationsSfdcChannels

cloudasset.assets.exportIntegrationsSfdcInstances

cloudasset.assets.exportIntegrationsSuspensions

cloudasset.assets.exportLoggingLogMetrics

cloudasset.assets.exportLoggingLogSinks

cloudasset.assets.exportManagedidentitiesDomain

cloudasset.assets.exportMetastoreBackups

cloudasset.assets.exportMetastoreMetadataImports

cloudasset.assets.exportMetastoreServices

cloudasset.assets.exportMonitoringAlertPolicies

cloudasset.assets.exportNetworkConnectivityHubs

cloudasset.assets.exportNetworkConnectivitySpokes

cloudasset.assets.exportNetworkManagementConnectivityTests

cloudasset.assets.exportNetworkServicesEndpointPolicies

cloudasset.assets.exportNetworkServicesGateways

cloudasset.assets.exportNetworkServicesGrpcRoutes

cloudasset.assets.exportNetworkServicesHttpRoutes

cloudasset.assets.exportNetworkServicesMeshes

cloudasset.assets.exportNetworkServicesServiceBindings

cloudasset.assets.exportNetworkServicesTcpRoutes

cloudasset.assets.exportNetworkServicesTlsRoutes

cloudasset.assets.exportOSConfigOSPolicyAssignmentReports

cloudasset.assets.exportOSConfigOSPolicyAssignments

cloudasset.assets.exportOSConfigVulnerabilityReports

cloudasset.assets.exportOSInventories

cloudasset.assets.exportOrgPolicy

cloudasset.assets.exportPatchDeployments

cloudasset.assets.exportPubsubSnapshots

cloudasset.assets.exportPubsubSubscriptions

cloudasset.assets.exportPubsubTopics

cloudasset.assets.exportRedisInstances

cloudasset.assets.exportResource

cloudasset.assets.exportSecretManagerSecretVersions

cloudasset.assets.exportSecretManagerSecrets

cloudasset.assets.exportServiceDirectoryNamespaces

cloudasset.assets.exportServicePerimeter

cloudasset.assets.exportServiceconsumermanagementConsumerProperty

cloudasset.assets.exportServiceconsumermanagementConsumerQuotaLimits

cloudasset.assets.exportServiceconsumermanagementConsumers

cloudasset.assets.exportServiceconsumermanagementProducerOverrides

cloudasset.assets.exportServiceconsumermanagementTenancyUnits

cloudasset.assets.exportServiceconsumermanagementVisibility

cloudasset.assets.exportServicemanagementServices

cloudasset.assets.exportServiceusageAdminOverrides

cloudasset.assets.exportServiceusageConsumerOverrides

cloudasset.assets.exportServiceusageServices

cloudasset.assets.exportSpannerBackups

cloudasset.assets.exportSpannerDatabases

cloudasset.assets.exportSpannerInstances

cloudasset.assets.exportSpeakerIdPhrases

cloudasset.assets.exportSpeakerIdSettings

cloudasset.assets.exportSpeakerIdSpeakers

cloudasset.assets.exportSpeechCustomClasses

cloudasset.assets.exportSpeechPhraseSets

cloudasset.assets.exportSqladminBackupRuns

cloudasset.assets.exportSqladminInstances

cloudasset.assets.exportStorageBuckets

cloudasset.assets.exportTpuNodes

cloudasset.assets.exportVpcaccessConnector

cloudasset.assets.listAccessLevel

cloudasset.assets.listAccessPolicy

cloudasset.assets.listAiplatformBatchPredictionJobs

cloudasset.assets.listAiplatformCustomJobs

cloudasset.assets.listAiplatformDataLabelingJobs

cloudasset.assets.listAiplatformDatasets

cloudasset.assets.listAiplatformEndpoints

cloudasset.assets.listAiplatformHyperparameterTuningJobs

cloudasset.assets.listAiplatformMetadataStores

cloudasset.assets.listAiplatformModelDeploymentMonitoringJobs

cloudasset.assets.listAiplatformModels

cloudasset.assets.listAiplatformPipelineJobs

cloudasset.assets.listAiplatformSpecialistPools

cloudasset.assets.listAiplatformTrainingPipelines

cloudasset.assets.listAllAccessPolicy

cloudasset.assets.listAnthosConnectedCluster

cloudasset.assets.listAnthosedgeCluster

cloudasset.assets.listApigatewayApi

cloudasset.assets.listApigatewayApiConfig

cloudasset.assets.listApigatewayGateway

cloudasset.assets.listApikeysKeys

cloudasset.assets.listAppengineApplications

cloudasset.assets.listAppengineServices

cloudasset.assets.listAppengineVersions

cloudasset.assets.listArtifactregistryDockerImages

cloudasset.assets.listArtifactregistryRepositories

cloudasset.assets.listAssuredWorkloadsWorkloads

cloudasset.assets.listBeyondCorpApiGateways

cloudasset.assets.listBeyondCorpAppConnections

cloudasset.assets.listBeyondCorpAppConnectors

cloudasset.assets.listBeyondCorpAppGateways

cloudasset.assets.listBeyondCorpClientConnectorServices

cloudasset.assets.listBeyondCorpClientGateways

cloudasset.assets.listBigqueryDatasets

cloudasset.assets.listBigqueryModels

cloudasset.assets.listBigqueryTables

cloudasset.assets.listBigtableAppProfile

cloudasset.assets.listBigtableBackup

cloudasset.assets.listBigtableCluster

cloudasset.assets.listBigtableInstance

cloudasset.assets.listBigtableTable

cloudasset.assets.listCloudAssetFeeds

cloudasset.assets.listCloudDeployDeliveryPipelines

cloudasset.assets.listCloudDeployReleases

cloudasset.assets.listCloudDeployRollouts

cloudasset.assets.listCloudDeployTargets

cloudasset.assets.listCloudDocumentAIEvaluation

cloudasset.assets.listCloudDocumentAIHumanReviewConfig

cloudasset.assets.listCloudDocumentAILabelerPool

cloudasset.assets.listCloudDocumentAIProcessor

cloudasset.assets.listCloudDocumentAIProcessorVersion

cloudasset.assets.listCloudbillingBillingAccounts

cloudasset.assets.listCloudbillingProjectBillingInfos

cloudasset.assets.listCloudfunctionsFunctions

cloudasset.assets.listCloudfunctionsGen2Functions

cloudasset.assets.listCloudkmsCryptoKeyVersions

cloudasset.assets.listCloudkmsCryptoKeys

cloudasset.assets.listCloudkmsEkmConnections

cloudasset.assets.listCloudkmsImportJobs

cloudasset.assets.listCloudkmsKeyRings

cloudasset.assets.listCloudmemcacheInstances

cloudasset.assets.listCloudresourcemanagerFolders

cloudasset.assets.listCloudresourcemanagerOrganizations

cloudasset.assets.listCloudresourcemanagerProjects

cloudasset.assets.listCloudresourcemanagerTagBindings

cloudasset.assets.listCloudresourcemanagerTagKeys

cloudasset.assets.listCloudresourcemanagerTagValues

cloudasset.assets.listComposerEnvironments

cloudasset.assets.listComputeAddress

cloudasset.assets.listComputeAutoscalers

cloudasset.assets.listComputeBackendBuckets

cloudasset.assets.listComputeBackendServices

cloudasset.assets.listComputeCommitments

cloudasset.assets.listComputeDisks

cloudasset.assets.listComputeExternalVpnGateways

cloudasset.assets.listComputeFirewallPolicies

cloudasset.assets.listComputeFirewalls

cloudasset.assets.listComputeForwardingRules

cloudasset.assets.listComputeGlobalAddress

cloudasset.assets.listComputeGlobalForwardingRules

cloudasset.assets.listComputeHealthChecks

cloudasset.assets.listComputeHttpHealthChecks

cloudasset.assets.listComputeHttpsHealthChecks

cloudasset.assets.listComputeImages

cloudasset.assets.listComputeInstanceGroupManagers

cloudasset.assets.listComputeInstanceGroups

cloudasset.assets.listComputeInstanceTemplates

cloudasset.assets.listComputeInstances

cloudasset.assets.listComputeInterconnect

cloudasset.assets.listComputeInterconnectAttachment

cloudasset.assets.listComputeLicenses

cloudasset.assets.listComputeNetworkEndpointGroups

cloudasset.assets.listComputeNetworks

cloudasset.assets.listComputeNodeGroups

cloudasset.assets.listComputeNodeTemplates

cloudasset.assets.listComputePacketMirrorings

cloudasset.assets.listComputeProjects

cloudasset.assets.listComputeRegionAutoscaler

cloudasset.assets.listComputeRegionBackendServices

cloudasset.assets.listComputeRegionDisk

cloudasset.assets.listComputeRegionInstanceGroup

cloudasset.assets.listComputeRegionInstanceGroupManager

cloudasset.assets.listComputeReservations

cloudasset.assets.listComputeResourcePolicies

cloudasset.assets.listComputeRouters

cloudasset.assets.listComputeRoutes

cloudasset.assets.listComputeSecurityPolicy

cloudasset.assets.listComputeServiceAttachments

cloudasset.assets.listComputeSnapshots

cloudasset.assets.listComputeSslCertificates

cloudasset.assets.listComputeSslPolicies

cloudasset.assets.listComputeSubnetworks

cloudasset.assets.listComputeTargetHttpProxies

cloudasset.assets.listComputeTargetHttpsProxies

cloudasset.assets.listComputeTargetInstances

cloudasset.assets.listComputeTargetPools

cloudasset.assets.listComputeTargetSslProxies

cloudasset.assets.listComputeTargetTcpProxies

cloudasset.assets.listComputeTargetVpnGateways

cloudasset.assets.listComputeUrlMaps

cloudasset.assets.listComputeVpnGateways

cloudasset.assets.listComputeVpnTunnels

cloudasset.assets.listConnectorsConnections

cloudasset.assets.listConnectorsConnectorVersions

cloudasset.assets.listConnectorsConnectors

cloudasset.assets.listConnectorsProviders

cloudasset.assets.listConnectorsRuntimeConfigs

cloudasset.assets.listContainerAppsDeployment

cloudasset.assets.listContainerAppsReplicaSets

cloudasset.assets.listContainerBatchJobs

cloudasset.assets.listContainerClusterrole

cloudasset.assets.listContainerClusterrolebinding

cloudasset.assets.listContainerClusters

cloudasset.assets.listContainerExtensionsIngresses

cloudasset.assets.listContainerJobs

cloudasset.assets.listContainerNamespace

cloudasset.assets.listContainerNetworkingIngresses

cloudasset.assets.listContainerNetworkingNetworkPolicies

cloudasset.assets.listContainerNode

cloudasset.assets.listContainerNodepool

cloudasset.assets.listContainerPod

cloudasset.assets.listContainerReplicaSets

cloudasset.assets.listContainerRole

cloudasset.assets.listContainerRolebinding

cloudasset.assets.listContainerServices

cloudasset.assets.listContainerregistryImage

cloudasset.assets.listDataMigrationConnectionProfiles

cloudasset.assets.listDataMigrationMigrationJobs

cloudasset.assets.listDataflowJobs

cloudasset.assets.listDatafusionInstance

cloudasset.assets.listDataplexAssets

cloudasset.assets.listDataplexLakes

cloudasset.assets.listDataplexTasks

cloudasset.assets.listDataplexZones

cloudasset.assets.listDataprocAutoscalingPolicies

cloudasset.assets.listDataprocBatches

cloudasset.assets.listDataprocClusters

cloudasset.assets.listDataprocJobs

cloudasset.assets.listDataprocSessions

cloudasset.assets.listDataprocWorkflowTemplates

cloudasset.assets.listDatastreamConnectionProfile

cloudasset.assets.listDatastreamPrivateConnection

cloudasset.assets.listDatastreamStream

cloudasset.assets.listDialogflowAgents

cloudasset.assets.listDialogflowConversationProfiles

cloudasset.assets.listDialogflowKnowledgeBases

cloudasset.assets.listDialogflowLocationSettings

cloudasset.assets.listDlpDeidentifyTemplates

cloudasset.assets.listDlpDlpJobs

cloudasset.assets.listDlpInspectTemplates

cloudasset.assets.listDlpJobTriggers

cloudasset.assets.listDlpStoredInfoTypes

cloudasset.assets.listDnsManagedZones

cloudasset.assets.listDnsPolicies

cloudasset.assets.listDomainsRegistrations

cloudasset.assets.listEventarcTriggers

cloudasset.assets.listFileBackups

cloudasset.assets.listFileInstances

cloudasset.assets.listFirebaseAppInfos

cloudasset.assets.listFirebaseProjects

cloudasset.assets.listFirestoreDatabases

cloudasset.assets.listGKEHubFeatures

cloudasset.assets.listGKEHubMemberships

cloudasset.assets.listGameservicesGameServerClusters

cloudasset.assets.listGameservicesGameServerConfigs

cloudasset.assets.listGameservicesGameServerDeployments

cloudasset.assets.listGameservicesRealms

cloudasset.assets.listGkeBackupBackupPlans

cloudasset.assets.listGkeBackupBackups

cloudasset.assets.listGkeBackupRestorePlans

cloudasset.assets.listGkeBackupRestores

cloudasset.assets.listGkeBackupVolumeBackups

cloudasset.assets.listGkeBackupVolumeRestores

cloudasset.assets.listHealthcareConsentStores

cloudasset.assets.listHealthcareDatasets

cloudasset.assets.listHealthcareDicomStores

cloudasset.assets.listHealthcareFhirStores

cloudasset.assets.listHealthcareHl7V2Stores

cloudasset.assets.listIamPolicy

cloudasset.assets.listIamRoles

cloudasset.assets.listIamServiceAccountKeys

cloudasset.assets.listIamServiceAccounts

cloudasset.assets.listIapTunnel

cloudasset.assets.listIapTunnelInstances

cloudasset.assets.listIapTunnelZones

cloudasset.assets.listIapWeb

cloudasset.assets.listIapWebServiceVersion

cloudasset.assets.listIapWebServices

cloudasset.assets.listIapWebType

cloudasset.assets.listIdsEndpoints

cloudasset.assets.listIntegrationsAuthConfigs

cloudasset.assets.listIntegrationsCertificates

cloudasset.assets.listIntegrationsExecutions

cloudasset.assets.listIntegrationsIntegrationVersions

cloudasset.assets.listIntegrationsIntegrations

cloudasset.assets.listIntegrationsSfdcChannels

cloudasset.assets.listIntegrationsSfdcInstances

cloudasset.assets.listIntegrationsSuspensions

cloudasset.assets.listLoggingLogMetrics

cloudasset.assets.listLoggingLogSinks

cloudasset.assets.listManagedidentitiesDomain

cloudasset.assets.listMetastoreBackups

cloudasset.assets.listMetastoreMetadataImports

cloudasset.assets.listMetastoreServices

cloudasset.assets.listMonitoringAlertPolicies

cloudasset.assets.listNetworkConnectivityHubs

cloudasset.assets.listNetworkConnectivitySpokes

cloudasset.assets.listNetworkManagementConnectivityTests

cloudasset.assets.listNetworkServicesEndpointPolicies

cloudasset.assets.listNetworkServicesGateways

cloudasset.assets.listNetworkServicesGrpcRoutes

cloudasset.assets.listNetworkServicesHttpRoutes

cloudasset.assets.listNetworkServicesMeshes

cloudasset.assets.listNetworkServicesServiceBindings

cloudasset.assets.listNetworkServicesTcpRoutes

cloudasset.assets.listNetworkServicesTlsRoutes

cloudasset.assets.listOSConfigOSPolicyAssignmentReports

cloudasset.assets.listOSConfigOSPolicyAssignments

cloudasset.assets.listOSConfigVulnerabilityReports

cloudasset.assets.listOSInventories

cloudasset.assets.listOrgPolicy

cloudasset.assets.listPatchDeployments

cloudasset.assets.listPubsubSnapshots

cloudasset.assets.listPubsubSubscriptions

cloudasset.assets.listPubsubTopics

cloudasset.assets.listRedisInstances

cloudasset.assets.listResource

cloudasset.assets.listRunDomainMapping

cloudasset.assets.listRunRevision

cloudasset.assets.listRunService

cloudasset.assets.listSecretManagerSecretVersions

cloudasset.assets.listSecretManagerSecrets

cloudasset.assets.listServiceDirectoryNamespaces

cloudasset.assets.listServicePerimeter

cloudasset.assets.listServiceconsumermanagementConsumerProperty

cloudasset.assets.listServiceconsumermanagementConsumerQuotaLimits

cloudasset.assets.listServiceconsumermanagementConsumers

cloudasset.assets.listServiceconsumermanagementProducerOverrides

cloudasset.assets.listServiceconsumermanagementTenancyUnits

cloudasset.assets.listServiceconsumermanagementVisibility

cloudasset.assets.listServicemanagementServices

cloudasset.assets.listServiceusageAdminOverrides

cloudasset.assets.listServiceusageConsumerOverrides

cloudasset.assets.listServiceusageServices

cloudasset.assets.listSpannerBackups

cloudasset.assets.listSpannerDatabases

cloudasset.assets.listSpannerInstances

cloudasset.assets.listSpeakerIdPhrases

cloudasset.assets.listSpeakerIdSettings

cloudasset.assets.listSpeakerIdSpeakers

cloudasset.assets.listSpeechCustomClasses

cloudasset.assets.listSpeechPhraseSets

cloudasset.assets.listSqladminBackupRuns

cloudasset.assets.listSqladminInstances

cloudasset.assets.listStorageBuckets

cloudasset.assets.listTpuNodes

cloudasset.assets.listVpcaccessConnector

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.feeds.*

  • cloudasset.feeds.create
  • cloudasset.feeds.delete
  • cloudasset.feeds.get
  • cloudasset.feeds.list
  • cloudasset.feeds.update

cloudasset.othercloudconnections.get

cloudasset.othercloudconnections.list

cloudasset.othercloudconnections.verify

cloudsql.instances.connect

cloudsql.users.list

compute.disks.useReadOnly

compute.globalOperations.get

compute.instances.get

compute.instances.list

compute.networkEndpointGroups.get

compute.projects.get

compute.regionOperations.get

compute.zoneOperations.get

container.clusters.get

iam.denypolicies.get

iam.denypolicies.list

iam.googleapis.com/workloadIdentityPoolProviders.list

iam.googleapis.com/workloadIdentityPools.list

logging.logEntries.list

monitoring.alertPolicies.list

monitoring.timeSeries.list

orgpolicy.policies.list

orgpolicy.policy.get

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

recommender.locations.*

  • recommender.locations.get
  • recommender.locations.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.assets.list

securitycenter.assetsecuritymarks.update

securitycenter.findings.list

securitycenter.notificationconfig.create

securitycenter.notificationconfig.delete

securitycenter.notificationconfig.update

securitycenter.organizationsettings.get

securitycenter.resourcevalueconfigs.get

securitycenter.resourcevalueconfigs.list

securitycenter.simulations.get

securitycenter.sources.list

securitycenter.valuedresources.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.update

serviceusage.quotas.get

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

stackdriver.projects.get

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

(roles/securitycenter.externalSystemsEditor)

Write access to security center external systems

securitycenter.findingexternalsystems.update

(roles/securitycenter.findingSecurityMarksWriter)

Write access to finding security marks

Lowest-level resources where you can grant this role:

  • Project

securitycenter.findingsecuritymarks.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.findingsBulkMuteEditor)

Ability to mute findings in bulk

securitycenter.findings.bulkMuteUpdate

(roles/securitycenter.findingsEditor)

Read-write access to findings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

securitycenter.complianceReports.aggregate

securitycenter.compliancesnapshots.list

securitycenter.findingexplanations.get

securitycenter.findings.bulkMuteUpdate

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.findings.setMute

securitycenter.findings.setState

securitycenter.findings.update

securitycenter.issues.*

  • securitycenter.issues.get
  • securitycenter.issues.group
  • securitycenter.issues.list
  • securitycenter.issues.listFilterValues
  • securitycenter.issues.mute

securitycenter.sources.get

securitycenter.sources.list

securitycenter.userinterfacemetadata.get

securitycenter.vulnerabilitysnapshots.list

(roles/securitycenter.findingsMuteSetter)

Set mute access to findings

securitycenter.findings.setMute

(roles/securitycenter.findingsStateSetter)

Set state access to findings

Lowest-level resources where you can grant this role:

  • Project

securitycenter.findings.setState

securitycenter.userinterfacemetadata.get

(roles/securitycenter.findingsViewer)

Read access to findings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

securitycenter.complianceReports.aggregate

securitycenter.compliancesnapshots.list

securitycenter.findingexplanations.get

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.issues.get

securitycenter.issues.group

securitycenter.issues.list

securitycenter.issues.listFilterValues

securitycenter.sources.get

securitycenter.sources.list

securitycenter.userinterfacemetadata.get

securitycenter.vulnerabilitysnapshots.list

(roles/securitycenter.findingsWorkflowStateSetter)

Set workflow state access to findings

Lowest-level resources where you can grant this role:

  • Project

securitycenter.findings.setWorkflowState

securitycenter.userinterfacemetadata.get

(roles/securitycenter.integrationExecutorServiceAgent)

Gives Security Center access to execute Integrations.

integrations.securityExecutions.cancel

integrations.securityExecutions.list

integrations.securityIntegrations.invoke

(roles/securitycenter.issuesEditor)

Write access to security center issues

securitycenter.issues.*

  • securitycenter.issues.get
  • securitycenter.issues.group
  • securitycenter.issues.list
  • securitycenter.issues.listFilterValues
  • securitycenter.issues.mute

(roles/securitycenter.issuesViewer)

Read access to security center issues

securitycenter.issues.get

securitycenter.issues.group

securitycenter.issues.list

securitycenter.issues.listFilterValues

(roles/securitycenter.muteConfigsEditor)

Read-Write access to security center mute configurations

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

(roles/securitycenter.muteConfigsViewer)

Read access to security center mute configurations

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

(roles/securitycenter.notificationConfigEditor)

Write access to notification configurations

Lowest-level resources where you can grant this role:

  • Organization

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.notificationConfigViewer)

Read access to notification configurations

Lowest-level resources where you can grant this role:

  • Organization

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.userinterfacemetadata.get

(roles/securitycenter.notificationServiceAgent)

Security Center service agent can publish notifications to Pub/Sub topics.

pubsub.topics.publish

(roles/securitycenter.resourceValueConfigsEditor)

Read-Write access to security center resource value configurations

resourcemanager.tagValues.get

securitycenter.resourcevalueconfigs.*

  • securitycenter.resourcevalueconfigs.create
  • securitycenter.resourcevalueconfigs.delete
  • securitycenter.resourcevalueconfigs.get
  • securitycenter.resourcevalueconfigs.list
  • securitycenter.resourcevalueconfigs.update

(roles/securitycenter.resourceValueConfigsViewer)

Read access to security center resource value configurations

resourcemanager.tagValues.get

securitycenter.resourcevalueconfigs.get

securitycenter.resourcevalueconfigs.list

(roles/securitycenter.securityHealthAnalyticsCustomModulesTester)

Test access to Security Health Analytics Custom Modules

securitycenter.securityhealthanalyticscustommodules.simulate

securitycenter.securityhealthanalyticscustommodules.test

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycenter.securityHealthAnalyticsServiceAgent)

Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities.

bigquery.datasets.get

binaryauthorization.policy.get

cloudasset.assets.analyzeIamPolicy

cloudasset.assets.analyzeMove

cloudasset.assets.analyzeOrgPolicy

cloudasset.assets.exportAccessLevel

cloudasset.assets.exportAccessPolicy

cloudasset.assets.exportAiplatformBatchPredictionJobs

cloudasset.assets.exportAiplatformCustomJobs

cloudasset.assets.exportAiplatformDataLabelingJobs

cloudasset.assets.exportAiplatformDatasets

cloudasset.assets.exportAiplatformEndpoints

cloudasset.assets.exportAiplatformHyperparameterTuningJobs

cloudasset.assets.exportAiplatformMetadataStores

cloudasset.assets.exportAiplatformModelDeploymentMonitoringJobs

cloudasset.assets.exportAiplatformModels

cloudasset.assets.exportAiplatformPipelineJobs

cloudasset.assets.exportAiplatformSpecialistPools

cloudasset.assets.exportAiplatformTrainingPipelines

cloudasset.assets.exportAllAccessPolicy

cloudasset.assets.exportAnthosConnectedCluster

cloudasset.assets.exportAnthosedgeCluster

cloudasset.assets.exportApigatewayApi

cloudasset.assets.exportApigatewayApiConfig

cloudasset.assets.exportApigatewayGateway

cloudasset.assets.exportApikeysKeys

cloudasset.assets.exportAppengineApplications

cloudasset.assets.exportAppengineServices

cloudasset.assets.exportAppengineVersions

cloudasset.assets.exportArtifactregistryDockerImages

cloudasset.assets.exportArtifactregistryRepositories

cloudasset.assets.exportAssuredWorkloadsWorkloads

cloudasset.assets.exportBeyondCorpApiGateways

cloudasset.assets.exportBeyondCorpAppConnections

cloudasset.assets.exportBeyondCorpAppConnectors

cloudasset.assets.exportBeyondCorpAppGateways

cloudasset.assets.exportBeyondCorpClientConnectorServices

cloudasset.assets.exportBeyondCorpClientGateways

cloudasset.assets.exportBigqueryDatasets

cloudasset.assets.exportBigqueryModels

cloudasset.assets.exportBigqueryTables

cloudasset.assets.exportBigtableAppProfile

cloudasset.assets.exportBigtableBackup

cloudasset.assets.exportBigtableCluster

cloudasset.assets.exportBigtableInstance

cloudasset.assets.exportBigtableTable

cloudasset.assets.exportCloudAssetFeeds

cloudasset.assets.exportCloudDeployDeliveryPipelines

cloudasset.assets.exportCloudDeployReleases

cloudasset.assets.exportCloudDeployRollouts

cloudasset.assets.exportCloudDeployTargets

cloudasset.assets.exportCloudDocumentAIEvaluation

cloudasset.assets.exportCloudDocumentAIHumanReviewConfig

cloudasset.assets.exportCloudDocumentAILabelerPool

cloudasset.assets.exportCloudDocumentAIProcessor

cloudasset.assets.exportCloudDocumentAIProcessorVersion

cloudasset.assets.exportCloudbillingBillingAccounts

cloudasset.assets.exportCloudbillingProjectBillingInfos

cloudasset.assets.exportCloudfunctionsFunctions

cloudasset.assets.exportCloudfunctionsGen2Functions

cloudasset.assets.exportCloudkmsCryptoKeyVersions

cloudasset.assets.exportCloudkmsCryptoKeys

cloudasset.assets.exportCloudkmsEkmConnections

cloudasset.assets.exportCloudkmsImportJobs

cloudasset.assets.exportCloudkmsKeyRings

cloudasset.assets.exportCloudmemcacheInstances

cloudasset.assets.exportCloudresourcemanagerFolders

cloudasset.assets.exportCloudresourcemanagerOrganizations

cloudasset.assets.exportCloudresourcemanagerProjects

cloudasset.assets.exportCloudresourcemanagerTagBindings

cloudasset.assets.exportCloudresourcemanagerTagKeys

cloudasset.assets.exportCloudresourcemanagerTagValues

cloudasset.assets.exportComposerEnvironments

cloudasset.assets.exportComputeAddress

cloudasset.assets.exportComputeAutoscalers

cloudasset.assets.exportComputeBackendBuckets

cloudasset.assets.exportComputeBackendServices

cloudasset.assets.exportComputeCommitments

cloudasset.assets.exportComputeDisks

cloudasset.assets.exportComputeExternalVpnGateways

cloudasset.assets.exportComputeFirewallPolicies

cloudasset.assets.exportComputeFirewalls

cloudasset.assets.exportComputeForwardingRules

cloudasset.assets.exportComputeGlobalAddress

cloudasset.assets.exportComputeGlobalForwardingRules

cloudasset.assets.exportComputeHealthChecks

cloudasset.assets.exportComputeHttpHealthChecks

cloudasset.assets.exportComputeHttpsHealthChecks

cloudasset.assets.exportComputeImages

cloudasset.assets.exportComputeInstanceGroupManagers

cloudasset.assets.exportComputeInstanceGroups

cloudasset.assets.exportComputeInstanceTemplates

cloudasset.assets.exportComputeInstances

cloudasset.assets.exportComputeInterconnect

cloudasset.assets.exportComputeInterconnectAttachment

cloudasset.assets.exportComputeLicenses

cloudasset.assets.exportComputeNetworkEndpointGroups

cloudasset.assets.exportComputeNetworks

cloudasset.assets.exportComputeNodeGroups

cloudasset.assets.exportComputeNodeTemplates

cloudasset.assets.exportComputePacketMirrorings

cloudasset.assets.exportComputeProjects

cloudasset.assets.exportComputeRegionAutoscaler

cloudasset.assets.exportComputeRegionBackendServices

cloudasset.assets.exportComputeRegionDisk

cloudasset.assets.exportComputeRegionInstanceGroup

cloudasset.assets.exportComputeRegionInstanceGroupManager

cloudasset.assets.exportComputeReservations

cloudasset.assets.exportComputeResourcePolicies

cloudasset.assets.exportComputeRouters

cloudasset.assets.exportComputeRoutes

cloudasset.assets.exportComputeSecurityPolicy

cloudasset.assets.exportComputeServiceAttachments

cloudasset.assets.exportComputeSnapshots

cloudasset.assets.exportComputeSslCertificates

cloudasset.assets.exportComputeSslPolicies

cloudasset.assets.exportComputeSubnetworks

cloudasset.assets.exportComputeTargetHttpProxies

cloudasset.assets.exportComputeTargetHttpsProxies

cloudasset.assets.exportComputeTargetInstances

cloudasset.assets.exportComputeTargetPools

cloudasset.assets.exportComputeTargetSslProxies

cloudasset.assets.exportComputeTargetTcpProxies

cloudasset.assets.exportComputeTargetVpnGateways

cloudasset.assets.exportComputeUrlMaps

cloudasset.assets.exportComputeVpnGateways

cloudasset.assets.exportComputeVpnTunnels

cloudasset.assets.exportConnectorsConnections

cloudasset.assets.exportConnectorsConnectorVersions

cloudasset.assets.exportConnectorsConnectors

cloudasset.assets.exportConnectorsProviders

cloudasset.assets.exportConnectorsRuntimeConfigs

cloudasset.assets.exportContainerAppsDeployment

cloudasset.assets.exportContainerAppsReplicaSets

cloudasset.assets.exportContainerBatchJobs

cloudasset.assets.exportContainerClusterrole

cloudasset.assets.exportContainerClusterrolebinding

cloudasset.assets.exportContainerClusters

cloudasset.assets.exportContainerExtensionsIngresses

cloudasset.assets.exportContainerJobs

cloudasset.assets.exportContainerNamespace

cloudasset.assets.exportContainerNetworkingIngresses

cloudasset.assets.exportContainerNetworkingNetworkPolicies

cloudasset.assets.exportContainerNode

cloudasset.assets.exportContainerNodepool

cloudasset.assets.exportContainerPod

cloudasset.assets.exportContainerReplicaSets

cloudasset.assets.exportContainerRole

cloudasset.assets.exportContainerRolebinding

cloudasset.assets.exportContainerServices

cloudasset.assets.exportContainerregistryImage

cloudasset.assets.exportDataMigrationConnectionProfiles

cloudasset.assets.exportDataMigrationMigrationJobs

cloudasset.assets.exportDataflowJobs

cloudasset.assets.exportDatafusionInstance

cloudasset.assets.exportDataplexAssets

cloudasset.assets.exportDataplexLakes

cloudasset.assets.exportDataplexTasks

cloudasset.assets.exportDataplexZones

cloudasset.assets.exportDataprocAutoscalingPolicies

cloudasset.assets.exportDataprocBatches

cloudasset.assets.exportDataprocClusters

cloudasset.assets.exportDataprocJobs

cloudasset.assets.exportDataprocSessions

cloudasset.assets.exportDataprocWorkflowTemplates

cloudasset.assets.exportDatastreamConnectionProfile

cloudasset.assets.exportDatastreamPrivateConnection

cloudasset.assets.exportDatastreamStream

cloudasset.assets.exportDialogflowAgents

cloudasset.assets.exportDialogflowConversationProfiles

cloudasset.assets.exportDialogflowKnowledgeBases

cloudasset.assets.exportDialogflowLocationSettings

cloudasset.assets.exportDlpDeidentifyTemplates

cloudasset.assets.exportDlpDlpJobs

cloudasset.assets.exportDlpInspectTemplates

cloudasset.assets.exportDlpJobTriggers

cloudasset.assets.exportDlpStoredInfoTypes

cloudasset.assets.exportDnsManagedZones

cloudasset.assets.exportDnsPolicies

cloudasset.assets.exportDomainsRegistrations

cloudasset.assets.exportEventarcTriggers

cloudasset.assets.exportFileBackups

cloudasset.assets.exportFileInstances

cloudasset.assets.exportFirebaseAppInfos

cloudasset.assets.exportFirebaseProjects

cloudasset.assets.exportFirestoreDatabases

cloudasset.assets.exportGKEHubFeatures

cloudasset.assets.exportGKEHubMemberships

cloudasset.assets.exportGameservicesGameServerClusters

cloudasset.assets.exportGameservicesGameServerConfigs

cloudasset.assets.exportGameservicesGameServerDeployments

cloudasset.assets.exportGameservicesRealms

cloudasset.assets.exportGkeBackupBackupPlans

cloudasset.assets.exportGkeBackupBackups

cloudasset.assets.exportGkeBackupRestorePlans

cloudasset.assets.exportGkeBackupRestores

cloudasset.assets.exportGkeBackupVolumeBackups

cloudasset.assets.exportGkeBackupVolumeRestores

cloudasset.assets.exportHealthcareConsentStores

cloudasset.assets.exportHealthcareDatasets

cloudasset.assets.exportHealthcareDicomStores

cloudasset.assets.exportHealthcareFhirStores

cloudasset.assets.exportHealthcareHl7V2Stores

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportIamRoles

cloudasset.assets.exportIamServiceAccountKeys

cloudasset.assets.exportIamServiceAccounts

cloudasset.assets.exportIapTunnel

cloudasset.assets.exportIapTunnelInstances

cloudasset.assets.exportIapTunnelZones

cloudasset.assets.exportIapWeb

cloudasset.assets.exportIapWebServiceVersion

cloudasset.assets.exportIapWebServices

cloudasset.assets.exportIapWebType

cloudasset.assets.exportIdsEndpoints

cloudasset.assets.exportIntegrationsAuthConfigs

cloudasset.assets.exportIntegrationsCertificates

cloudasset.assets.exportIntegrationsExecutions

cloudasset.assets.exportIntegrationsIntegrationVersions

cloudasset.assets.exportIntegrationsIntegrations

cloudasset.assets.exportIntegrationsSfdcChannels

cloudasset.assets.exportIntegrationsSfdcInstances

cloudasset.assets.exportIntegrationsSuspensions

cloudasset.assets.exportLoggingLogMetrics

cloudasset.assets.exportLoggingLogSinks

cloudasset.assets.exportManagedidentitiesDomain

cloudasset.assets.exportMetastoreBackups

cloudasset.assets.exportMetastoreMetadataImports

cloudasset.assets.exportMetastoreServices

cloudasset.assets.exportMonitoringAlertPolicies

cloudasset.assets.exportNetworkConnectivityHubs

cloudasset.assets.exportNetworkConnectivitySpokes

cloudasset.assets.exportNetworkManagementConnectivityTests

cloudasset.assets.exportNetworkServicesEndpointPolicies

cloudasset.assets.exportNetworkServicesGateways

cloudasset.assets.exportNetworkServicesGrpcRoutes

cloudasset.assets.exportNetworkServicesHttpRoutes

cloudasset.assets.exportNetworkServicesMeshes

cloudasset.assets.exportNetworkServicesServiceBindings

cloudasset.assets.exportNetworkServicesTcpRoutes

cloudasset.assets.exportNetworkServicesTlsRoutes

cloudasset.assets.exportOSConfigOSPolicyAssignmentReports

cloudasset.assets.exportOSConfigOSPolicyAssignments

cloudasset.assets.exportOSConfigVulnerabilityReports

cloudasset.assets.exportOSInventories

cloudasset.assets.exportOrgPolicy

cloudasset.assets.exportPatchDeployments

cloudasset.assets.exportPubsubSnapshots

cloudasset.assets.exportPubsubSubscriptions

cloudasset.assets.exportPubsubTopics

cloudasset.assets.exportRedisInstances

cloudasset.assets.exportResource

cloudasset.assets.exportSecretManagerSecretVersions

cloudasset.assets.exportSecretManagerSecrets

cloudasset.assets.exportServiceDirectoryNamespaces

cloudasset.assets.exportServicePerimeter

cloudasset.assets.exportServiceconsumermanagementConsumerProperty

cloudasset.assets.exportServiceconsumermanagementConsumerQuotaLimits

cloudasset.assets.exportServiceconsumermanagementConsumers

cloudasset.assets.exportServiceconsumermanagementProducerOverrides

cloudasset.assets.exportServiceconsumermanagementTenancyUnits

cloudasset.assets.exportServiceconsumermanagementVisibility

cloudasset.assets.exportServicemanagementServices

cloudasset.assets.exportServiceusageAdminOverrides

cloudasset.assets.exportServiceusageConsumerOverrides

cloudasset.assets.exportServiceusageServices

cloudasset.assets.exportSpannerBackups

cloudasset.assets.exportSpannerDatabases

cloudasset.assets.exportSpannerInstances

cloudasset.assets.exportSpeakerIdPhrases

cloudasset.assets.exportSpeakerIdSettings

cloudasset.assets.exportSpeakerIdSpeakers

cloudasset.assets.exportSpeechCustomClasses

cloudasset.assets.exportSpeechPhraseSets

cloudasset.assets.exportSqladminBackupRuns

cloudasset.assets.exportSqladminInstances

cloudasset.assets.exportStorageBuckets

cloudasset.assets.exportTpuNodes

cloudasset.assets.exportVpcaccessConnector

cloudasset.assets.listAccessLevel

cloudasset.assets.listAccessPolicy

cloudasset.assets.listAiplatformBatchPredictionJobs

cloudasset.assets.listAiplatformCustomJobs

cloudasset.assets.listAiplatformDataLabelingJobs

cloudasset.assets.listAiplatformDatasets

cloudasset.assets.listAiplatformEndpoints

cloudasset.assets.listAiplatformHyperparameterTuningJobs

cloudasset.assets.listAiplatformMetadataStores

cloudasset.assets.listAiplatformModelDeploymentMonitoringJobs

cloudasset.assets.listAiplatformModels

cloudasset.assets.listAiplatformPipelineJobs

cloudasset.assets.listAiplatformSpecialistPools

cloudasset.assets.listAiplatformTrainingPipelines

cloudasset.assets.listAllAccessPolicy

cloudasset.assets.listAnthosConnectedCluster

cloudasset.assets.listAnthosedgeCluster

cloudasset.assets.listApigatewayApi

cloudasset.assets.listApigatewayApiConfig

cloudasset.assets.listApigatewayGateway

cloudasset.assets.listApikeysKeys

cloudasset.assets.listAppengineApplications

cloudasset.assets.listAppengineServices

cloudasset.assets.listAppengineVersions

cloudasset.assets.listArtifactregistryDockerImages

cloudasset.assets.listArtifactregistryRepositories

cloudasset.assets.listAssuredWorkloadsWorkloads

cloudasset.assets.listBeyondCorpApiGateways

cloudasset.assets.listBeyondCorpAppConnections

cloudasset.assets.listBeyondCorpAppConnectors

cloudasset.assets.listBeyondCorpAppGateways

cloudasset.assets.listBeyondCorpClientConnectorServices

cloudasset.assets.listBeyondCorpClientGateways

cloudasset.assets.listBigqueryDatasets

cloudasset.assets.listBigqueryModels

cloudasset.assets.listBigqueryTables

cloudasset.assets.listBigtableAppProfile

cloudasset.assets.listBigtableBackup

cloudasset.assets.listBigtableCluster

cloudasset.assets.listBigtableInstance

cloudasset.assets.listBigtableTable

cloudasset.assets.listCloudAssetFeeds

cloudasset.assets.listCloudDeployDeliveryPipelines

cloudasset.assets.listCloudDeployReleases

cloudasset.assets.listCloudDeployRollouts

cloudasset.assets.listCloudDeployTargets

cloudasset.assets.listCloudDocumentAIEvaluation

cloudasset.assets.listCloudDocumentAIHumanReviewConfig

cloudasset.assets.listCloudDocumentAILabelerPool

cloudasset.assets.listCloudDocumentAIProcessor

cloudasset.assets.listCloudDocumentAIProcessorVersion

cloudasset.assets.listCloudbillingBillingAccounts

cloudasset.assets.listCloudbillingProjectBillingInfos

cloudasset.assets.listCloudfunctionsFunctions

cloudasset.assets.listCloudfunctionsGen2Functions

cloudasset.assets.listCloudkmsCryptoKeyVersions

cloudasset.assets.listCloudkmsCryptoKeys

cloudasset.assets.listCloudkmsEkmConnections

cloudasset.assets.listCloudkmsImportJobs

cloudasset.assets.listCloudkmsKeyRings

cloudasset.assets.listCloudmemcacheInstances

cloudasset.assets.listCloudresourcemanagerFolders

cloudasset.assets.listCloudresourcemanagerOrganizations

cloudasset.assets.listCloudresourcemanagerProjects

cloudasset.assets.listCloudresourcemanagerTagBindings

cloudasset.assets.listCloudresourcemanagerTagKeys

cloudasset.assets.listCloudresourcemanagerTagValues

cloudasset.assets.listComposerEnvironments

cloudasset.assets.listComputeAddress

cloudasset.assets.listComputeAutoscalers

cloudasset.assets.listComputeBackendBuckets

cloudasset.assets.listComputeBackendServices

cloudasset.assets.listComputeCommitments

cloudasset.assets.listComputeDisks

cloudasset.assets.listComputeExternalVpnGateways

cloudasset.assets.listComputeFirewallPolicies

cloudasset.assets.listComputeFirewalls

cloudasset.assets.listComputeForwardingRules

cloudasset.assets.listComputeGlobalAddress

cloudasset.assets.listComputeGlobalForwardingRules

cloudasset.assets.listComputeHealthChecks

cloudasset.assets.listComputeHttpHealthChecks

cloudasset.assets.listComputeHttpsHealthChecks

cloudasset.assets.listComputeImages

cloudasset.assets.listComputeInstanceGroupManagers

cloudasset.assets.listComputeInstanceGroups

cloudasset.assets.listComputeInstanceTemplates

cloudasset.assets.listComputeInstances

cloudasset.assets.listComputeInterconnect

cloudasset.assets.listComputeInterconnectAttachment

cloudasset.assets.listComputeLicenses

cloudasset.assets.listComputeNetworkEndpointGroups

cloudasset.assets.listComputeNetworks

cloudasset.assets.listComputeNodeGroups

cloudasset.assets.listComputeNodeTemplates

cloudasset.assets.listComputePacketMirrorings

cloudasset.assets.listComputeProjects

cloudasset.assets.listComputeRegionAutoscaler

cloudasset.assets.listComputeRegionBackendServices

cloudasset.assets.listComputeRegionDisk

cloudasset.assets.listComputeRegionInstanceGroup

cloudasset.assets.listComputeRegionInstanceGroupManager

cloudasset.assets.listComputeReservations

cloudasset.assets.listComputeResourcePolicies

cloudasset.assets.listComputeRouters

cloudasset.assets.listComputeRoutes

cloudasset.assets.listComputeSecurityPolicy

cloudasset.assets.listComputeServiceAttachments

cloudasset.assets.listComputeSnapshots

cloudasset.assets.listComputeSslCertificates

cloudasset.assets.listComputeSslPolicies

cloudasset.assets.listComputeSubnetworks

cloudasset.assets.listComputeTargetHttpProxies

cloudasset.assets.listComputeTargetHttpsProxies

cloudasset.assets.listComputeTargetInstances

cloudasset.assets.listComputeTargetPools

cloudasset.assets.listComputeTargetSslProxies

cloudasset.assets.listComputeTargetTcpProxies

cloudasset.assets.listComputeTargetVpnGateways

cloudasset.assets.listComputeUrlMaps

cloudasset.assets.listComputeVpnGateways

cloudasset.assets.listComputeVpnTunnels

cloudasset.assets.listConnectorsConnections

cloudasset.assets.listConnectorsConnectorVersions

cloudasset.assets.listConnectorsConnectors

cloudasset.assets.listConnectorsProviders

cloudasset.assets.listConnectorsRuntimeConfigs

cloudasset.assets.listContainerAppsDeployment

cloudasset.assets.listContainerAppsReplicaSets

cloudasset.assets.listContainerBatchJobs

cloudasset.assets.listContainerClusterrole

cloudasset.assets.listContainerClusterrolebinding

cloudasset.assets.listContainerClusters

cloudasset.assets.listContainerExtensionsIngresses

cloudasset.assets.listContainerJobs

cloudasset.assets.listContainerNamespace

cloudasset.assets.listContainerNetworkingIngresses

cloudasset.assets.listContainerNetworkingNetworkPolicies

cloudasset.assets.listContainerNode

cloudasset.assets.listContainerNodepool

cloudasset.assets.listContainerPod

cloudasset.assets.listContainerReplicaSets

cloudasset.assets.listContainerRole

cloudasset.assets.listContainerRolebinding

cloudasset.assets.listContainerServices

cloudasset.assets.listContainerregistryImage

cloudasset.assets.listDataMigrationConnectionProfiles

cloudasset.assets.listDataMigrationMigrationJobs

cloudasset.assets.listDataflowJobs

cloudasset.assets.listDatafusionInstance

cloudasset.assets.listDataplexAssets

cloudasset.assets.listDataplexLakes

cloudasset.assets.listDataplexTasks

cloudasset.assets.listDataplexZones

cloudasset.assets.listDataprocAutoscalingPolicies

cloudasset.assets.listDataprocBatches

cloudasset.assets.listDataprocClusters

cloudasset.assets.listDataprocJobs

cloudasset.assets.listDataprocSessions

cloudasset.assets.listDataprocWorkflowTemplates

cloudasset.assets.listDatastreamConnectionProfile

cloudasset.assets.listDatastreamPrivateConnection

cloudasset.assets.listDatastreamStream

cloudasset.assets.listDialogflowAgents

cloudasset.assets.listDialogflowConversationProfiles

cloudasset.assets.listDialogflowKnowledgeBases

cloudasset.assets.listDialogflowLocationSettings

cloudasset.assets.listDlpDeidentifyTemplates

cloudasset.assets.listDlpDlpJobs

cloudasset.assets.listDlpInspectTemplates

cloudasset.assets.listDlpJobTriggers

cloudasset.assets.listDlpStoredInfoTypes

cloudasset.assets.listDnsManagedZones

cloudasset.assets.listDnsPolicies

cloudasset.assets.listDomainsRegistrations

cloudasset.assets.listEventarcTriggers

cloudasset.assets.listFileBackups

cloudasset.assets.listFileInstances

cloudasset.assets.listFirebaseAppInfos

cloudasset.assets.listFirebaseProjects

cloudasset.assets.listFirestoreDatabases

cloudasset.assets.listGKEHubFeatures

cloudasset.assets.listGKEHubMemberships

cloudasset.assets.listGameservicesGameServerClusters

cloudasset.assets.listGameservicesGameServerConfigs

cloudasset.assets.listGameservicesGameServerDeployments

cloudasset.assets.listGameservicesRealms

cloudasset.assets.listGkeBackupBackupPlans

cloudasset.assets.listGkeBackupBackups

cloudasset.assets.listGkeBackupRestorePlans

cloudasset.assets.listGkeBackupRestores

cloudasset.assets.listGkeBackupVolumeBackups

cloudasset.assets.listGkeBackupVolumeRestores

cloudasset.assets.listHealthcareConsentStores

cloudasset.assets.listHealthcareDatasets

cloudasset.assets.listHealthcareDicomStores

cloudasset.assets.listHealthcareFhirStores

cloudasset.assets.listHealthcareHl7V2Stores

cloudasset.assets.listIamPolicy

cloudasset.assets.listIamRoles

cloudasset.assets.listIamServiceAccountKeys

cloudasset.assets.listIamServiceAccounts

cloudasset.assets.listIapTunnel

cloudasset.assets.listIapTunnelInstances

cloudasset.assets.listIapTunnelZones

cloudasset.assets.listIapWeb

cloudasset.assets.listIapWebServiceVersion

cloudasset.assets.listIapWebServices

cloudasset.assets.listIapWebType

cloudasset.assets.listIdsEndpoints

cloudasset.assets.listIntegrationsAuthConfigs

cloudasset.assets.listIntegrationsCertificates

cloudasset.assets.listIntegrationsExecutions

cloudasset.assets.listIntegrationsIntegrationVersions

cloudasset.assets.listIntegrationsIntegrations

cloudasset.assets.listIntegrationsSfdcChannels

cloudasset.assets.listIntegrationsSfdcInstances

cloudasset.assets.listIntegrationsSuspensions

cloudasset.assets.listLoggingLogMetrics

cloudasset.assets.listLoggingLogSinks

cloudasset.assets.listManagedidentitiesDomain

cloudasset.assets.listMetastoreBackups

cloudasset.assets.listMetastoreMetadataImports

cloudasset.assets.listMetastoreServices

cloudasset.assets.listMonitoringAlertPolicies

cloudasset.assets.listNetworkConnectivityHubs

cloudasset.assets.listNetworkConnectivitySpokes

cloudasset.assets.listNetworkManagementConnectivityTests

cloudasset.assets.listNetworkServicesEndpointPolicies

cloudasset.assets.listNetworkServicesGateways

cloudasset.assets.listNetworkServicesGrpcRoutes

cloudasset.assets.listNetworkServicesHttpRoutes

cloudasset.assets.listNetworkServicesMeshes

cloudasset.assets.listNetworkServicesServiceBindings

cloudasset.assets.listNetworkServicesTcpRoutes

cloudasset.assets.listNetworkServicesTlsRoutes

cloudasset.assets.listOSConfigOSPolicyAssignmentReports

cloudasset.assets.listOSConfigOSPolicyAssignments

cloudasset.assets.listOSConfigVulnerabilityReports

cloudasset.assets.listOSInventories

cloudasset.assets.listOrgPolicy

cloudasset.assets.listPatchDeployments

cloudasset.assets.listPubsubSnapshots

cloudasset.assets.listPubsubSubscriptions

cloudasset.assets.listPubsubTopics

cloudasset.assets.listRedisInstances

cloudasset.assets.listResource

cloudasset.assets.listRunDomainMapping

cloudasset.assets.listRunRevision

cloudasset.assets.listRunService

cloudasset.assets.listSecretManagerSecretVersions

cloudasset.assets.listSecretManagerSecrets

cloudasset.assets.listServiceDirectoryNamespaces

cloudasset.assets.listServicePerimeter

cloudasset.assets.listServiceconsumermanagementConsumerProperty

cloudasset.assets.listServiceconsumermanagementConsumerQuotaLimits

cloudasset.assets.listServiceconsumermanagementConsumers

cloudasset.assets.listServiceconsumermanagementProducerOverrides

cloudasset.assets.listServiceconsumermanagementTenancyUnits

cloudasset.assets.listServiceconsumermanagementVisibility

cloudasset.assets.listServicemanagementServices

cloudasset.assets.listServiceusageAdminOverrides

cloudasset.assets.listServiceusageConsumerOverrides

cloudasset.assets.listServiceusageServices

cloudasset.assets.listSpannerBackups

cloudasset.assets.listSpannerDatabases

cloudasset.assets.listSpannerInstances

cloudasset.assets.listSpeakerIdPhrases

cloudasset.assets.listSpeakerIdSettings

cloudasset.assets.listSpeakerIdSpeakers

cloudasset.assets.listSpeechCustomClasses

cloudasset.assets.listSpeechPhraseSets

cloudasset.assets.listSqladminBackupRuns

cloudasset.assets.listSqladminInstances

cloudasset.assets.listStorageBuckets

cloudasset.assets.listTpuNodes

cloudasset.assets.listVpcaccessConnector

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.feeds.*

  • cloudasset.feeds.create
  • cloudasset.feeds.delete
  • cloudasset.feeds.get
  • cloudasset.feeds.list
  • cloudasset.feeds.update

cloudasset.othercloudconnections.get

cloudasset.othercloudconnections.list

cloudasset.othercloudconnections.verify

cloudsql.instances.connect

cloudsql.users.list

compute.globalOperations.get

compute.instances.get

compute.instances.list

compute.networkEndpointGroups.get

compute.projects.get

container.clusters.get

monitoring.alertPolicies.list

orgpolicy.policy.get

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

recommender.locations.*

  • recommender.locations.get
  • recommender.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.organizationsettings.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

stackdriver.projects.get

(roles/securitycenter.securityResponseServiceAgent)

Gives Playbook Runner permissions to execute all Google authored Playbooks. This role will keep evolving as we add more playbooks

compute.globalOperations.get

compute.instances.deleteAccessConfig

compute.instances.get

compute.instances.setMetadata

compute.regionOperations.get

compute.zoneOperations.get

iam.serviceAccounts.actAs

pubsub.topics.publish

securitycenter.findings.list

storage.buckets.get

storage.buckets.update

(roles/securitycenter.serviceAgent)

Security Center service agent can scan GCP resources and import security scans.

accesscontextmanager.gcpUserAccessBindings.get

accesscontextmanager.gcpUserAccessBindings.list

aiplatform.dataItems.list

aiplatform.datasets.list

bigquery.datasets.get

binaryauthorization.policy.get

cloudasset.assets.analyzeIamPolicy

cloudasset.assets.analyzeMove

cloudasset.assets.analyzeOrgPolicy

cloudasset.assets.exportAccessLevel

cloudasset.assets.exportAccessPolicy

cloudasset.assets.exportAiplatformBatchPredictionJobs

cloudasset.assets.exportAiplatformCustomJobs

cloudasset.assets.exportAiplatformDataLabelingJobs

cloudasset.assets.exportAiplatformDatasets

cloudasset.assets.exportAiplatformEndpoints

cloudasset.assets.exportAiplatformHyperparameterTuningJobs

cloudasset.assets.exportAiplatformMetadataStores

cloudasset.assets.exportAiplatformModelDeploymentMonitoringJobs

cloudasset.assets.exportAiplatformModels

cloudasset.assets.exportAiplatformPipelineJobs

cloudasset.assets.exportAiplatformSpecialistPools

cloudasset.assets.exportAiplatformTrainingPipelines

cloudasset.assets.exportAllAccessPolicy

cloudasset.assets.exportAnthosConnectedCluster

cloudasset.assets.exportAnthosedgeCluster

cloudasset.assets.exportApigatewayApi

cloudasset.assets.exportApigatewayApiConfig

cloudasset.assets.exportApigatewayGateway

cloudasset.assets.exportApikeysKeys

cloudasset.assets.exportAppengineApplications

cloudasset.assets.exportAppengineServices

cloudasset.assets.exportAppengineVersions

cloudasset.assets.exportArtifactregistryDockerImages

cloudasset.assets.exportArtifactregistryRepositories

cloudasset.assets.exportAssuredWorkloadsWorkloads

cloudasset.assets.exportBeyondCorpApiGateways

cloudasset.assets.exportBeyondCorpAppConnections

cloudasset.assets.exportBeyondCorpAppConnectors

cloudasset.assets.exportBeyondCorpAppGateways

cloudasset.assets.exportBeyondCorpClientConnectorServices

cloudasset.assets.exportBeyondCorpClientGateways

cloudasset.assets.exportBigqueryDatasets

cloudasset.assets.exportBigqueryModels

cloudasset.assets.exportBigqueryTables

cloudasset.assets.exportBigtableAppProfile

cloudasset.assets.exportBigtableBackup

cloudasset.assets.exportBigtableCluster

cloudasset.assets.exportBigtableInstance

cloudasset.assets.exportBigtableTable

cloudasset.assets.exportCloudAssetFeeds

cloudasset.assets.exportCloudDeployDeliveryPipelines

cloudasset.assets.exportCloudDeployReleases

cloudasset.assets.exportCloudDeployRollouts

cloudasset.assets.exportCloudDeployTargets

cloudasset.assets.exportCloudDocumentAIEvaluation

cloudasset.assets.exportCloudDocumentAIHumanReviewConfig

cloudasset.assets.exportCloudDocumentAILabelerPool

cloudasset.assets.exportCloudDocumentAIProcessor

cloudasset.assets.exportCloudDocumentAIProcessorVersion

cloudasset.assets.exportCloudbillingBillingAccounts

cloudasset.assets.exportCloudbillingProjectBillingInfos

cloudasset.assets.exportCloudfunctionsFunctions

cloudasset.assets.exportCloudfunctionsGen2Functions

cloudasset.assets.exportCloudkmsCryptoKeyVersions

cloudasset.assets.exportCloudkmsCryptoKeys

cloudasset.assets.exportCloudkmsEkmConnections

cloudasset.assets.exportCloudkmsImportJobs

cloudasset.assets.exportCloudkmsKeyRings

cloudasset.assets.exportCloudmemcacheInstances

cloudasset.assets.exportCloudresourcemanagerFolders

cloudasset.assets.exportCloudresourcemanagerOrganizations

cloudasset.assets.exportCloudresourcemanagerProjects

cloudasset.assets.exportCloudresourcemanagerTagBindings

cloudasset.assets.exportCloudresourcemanagerTagKeys

cloudasset.assets.exportCloudresourcemanagerTagValues

cloudasset.assets.exportComposerEnvironments

cloudasset.assets.exportComputeAddress

cloudasset.assets.exportComputeAutoscalers

cloudasset.assets.exportComputeBackendBuckets

cloudasset.assets.exportComputeBackendServices

cloudasset.assets.exportComputeCommitments

cloudasset.assets.exportComputeDisks

cloudasset.assets.exportComputeExternalVpnGateways

cloudasset.assets.exportComputeFirewallPolicies

cloudasset.assets.exportComputeFirewalls

cloudasset.assets.exportComputeForwardingRules

cloudasset.assets.exportComputeGlobalAddress

cloudasset.assets.exportComputeGlobalForwardingRules

cloudasset.assets.exportComputeHealthChecks

cloudasset.assets.exportComputeHttpHealthChecks

cloudasset.assets.exportComputeHttpsHealthChecks

cloudasset.assets.exportComputeImages

cloudasset.assets.exportComputeInstanceGroupManagers

cloudasset.assets.exportComputeInstanceGroups

cloudasset.assets.exportComputeInstanceTemplates

cloudasset.assets.exportComputeInstances

cloudasset.assets.exportComputeInterconnect

cloudasset.assets.exportComputeInterconnectAttachment

cloudasset.assets.exportComputeLicenses

cloudasset.assets.exportComputeNetworkEndpointGroups

cloudasset.assets.exportComputeNetworks

cloudasset.assets.exportComputeNodeGroups

cloudasset.assets.exportComputeNodeTemplates

cloudasset.assets.exportComputePacketMirrorings

cloudasset.assets.exportComputeProjects

cloudasset.assets.exportComputeRegionAutoscaler

cloudasset.assets.exportComputeRegionBackendServices

cloudasset.assets.exportComputeRegionDisk

cloudasset.assets.exportComputeRegionInstanceGroup

cloudasset.assets.exportComputeRegionInstanceGroupManager

cloudasset.assets.exportComputeReservations

cloudasset.assets.exportComputeResourcePolicies

cloudasset.assets.exportComputeRouters

cloudasset.assets.exportComputeRoutes

cloudasset.assets.exportComputeSecurityPolicy

cloudasset.assets.exportComputeServiceAttachments

cloudasset.assets.exportComputeSnapshots

cloudasset.assets.exportComputeSslCertificates

cloudasset.assets.exportComputeSslPolicies

cloudasset.assets.exportComputeSubnetworks

cloudasset.assets.exportComputeTargetHttpProxies

cloudasset.assets.exportComputeTargetHttpsProxies

cloudasset.assets.exportComputeTargetInstances

cloudasset.assets.exportComputeTargetPools

cloudasset.assets.exportComputeTargetSslProxies

cloudasset.assets.exportComputeTargetTcpProxies

cloudasset.assets.exportComputeTargetVpnGateways

cloudasset.assets.exportComputeUrlMaps

cloudasset.assets.exportComputeVpnGateways

cloudasset.assets.exportComputeVpnTunnels

cloudasset.assets.exportConnectorsConnections

cloudasset.assets.exportConnectorsConnectorVersions

cloudasset.assets.exportConnectorsConnectors

cloudasset.assets.exportConnectorsProviders

cloudasset.assets.exportConnectorsRuntimeConfigs

cloudasset.assets.exportContainerAppsDeployment

cloudasset.assets.exportContainerAppsReplicaSets

cloudasset.assets.exportContainerBatchJobs

cloudasset.assets.exportContainerClusterrole

cloudasset.assets.exportContainerClusterrolebinding

cloudasset.assets.exportContainerClusters

cloudasset.assets.exportContainerExtensionsIngresses

cloudasset.assets.exportContainerJobs

cloudasset.assets.exportContainerNamespace

cloudasset.assets.exportContainerNetworkingIngresses

cloudasset.assets.exportContainerNetworkingNetworkPolicies

cloudasset.assets.exportContainerNode

cloudasset.assets.exportContainerNodepool

cloudasset.assets.exportContainerPod

cloudasset.assets.exportContainerReplicaSets

cloudasset.assets.exportContainerRole

cloudasset.assets.exportContainerRolebinding

cloudasset.assets.exportContainerServices

cloudasset.assets.exportContainerregistryImage

cloudasset.assets.exportDataMigrationConnectionProfiles

cloudasset.assets.exportDataMigrationMigrationJobs

cloudasset.assets.exportDataflowJobs

cloudasset.assets.exportDatafusionInstance

cloudasset.assets.exportDataplexAssets

cloudasset.assets.exportDataplexLakes

cloudasset.assets.exportDataplexTasks

cloudasset.assets.exportDataplexZones

cloudasset.assets.exportDataprocAutoscalingPolicies

cloudasset.assets.exportDataprocBatches

cloudasset.assets.exportDataprocClusters

cloudasset.assets.exportDataprocJobs

cloudasset.assets.exportDataprocSessions

cloudasset.assets.exportDataprocWorkflowTemplates

cloudasset.assets.exportDatastreamConnectionProfile

cloudasset.assets.exportDatastreamPrivateConnection

cloudasset.assets.exportDatastreamStream

cloudasset.assets.exportDialogflowAgents

cloudasset.assets.exportDialogflowConversationProfiles

cloudasset.assets.exportDialogflowKnowledgeBases

cloudasset.assets.exportDialogflowLocationSettings

cloudasset.assets.exportDlpDeidentifyTemplates

cloudasset.assets.exportDlpDlpJobs

cloudasset.assets.exportDlpInspectTemplates

cloudasset.assets.exportDlpJobTriggers

cloudasset.assets.exportDlpStoredInfoTypes

cloudasset.assets.exportDnsManagedZones

cloudasset.assets.exportDnsPolicies

cloudasset.assets.exportDomainsRegistrations

cloudasset.assets.exportEventarcTriggers

cloudasset.assets.exportFileBackups

cloudasset.assets.exportFileInstances

cloudasset.assets.exportFirebaseAppInfos

cloudasset.assets.exportFirebaseProjects

cloudasset.assets.exportFirestoreDatabases

cloudasset.assets.exportGKEHubFeatures

cloudasset.assets.exportGKEHubMemberships

cloudasset.assets.exportGameservicesGameServerClusters

cloudasset.assets.exportGameservicesGameServerConfigs

cloudasset.assets.exportGameservicesGameServerDeployments

cloudasset.assets.exportGameservicesRealms

cloudasset.assets.exportGkeBackupBackupPlans

cloudasset.assets.exportGkeBackupBackups

cloudasset.assets.exportGkeBackupRestorePlans

cloudasset.assets.exportGkeBackupRestores

cloudasset.assets.exportGkeBackupVolumeBackups

cloudasset.assets.exportGkeBackupVolumeRestores

cloudasset.assets.exportHealthcareConsentStores

cloudasset.assets.exportHealthcareDatasets

cloudasset.assets.exportHealthcareDicomStores

cloudasset.assets.exportHealthcareFhirStores

cloudasset.assets.exportHealthcareHl7V2Stores

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportIamRoles

cloudasset.assets.exportIamServiceAccountKeys

cloudasset.assets.exportIamServiceAccounts

cloudasset.assets.exportIapTunnel

cloudasset.assets.exportIapTunnelInstances

cloudasset.assets.exportIapTunnelZones

cloudasset.assets.exportIapWeb

cloudasset.assets.exportIapWebServiceVersion

cloudasset.assets.exportIapWebServices

cloudasset.assets.exportIapWebType

cloudasset.assets.exportIdsEndpoints

cloudasset.assets.exportIntegrationsAuthConfigs

cloudasset.assets.exportIntegrationsCertificates

cloudasset.assets.exportIntegrationsExecutions

cloudasset.assets.exportIntegrationsIntegrationVersions

cloudasset.assets.exportIntegrationsIntegrations

cloudasset.assets.exportIntegrationsSfdcChannels

cloudasset.assets.exportIntegrationsSfdcInstances

cloudasset.assets.exportIntegrationsSuspensions

cloudasset.assets.exportLoggingLogMetrics

cloudasset.assets.exportLoggingLogSinks

cloudasset.assets.exportManagedidentitiesDomain

cloudasset.assets.exportMetastoreBackups

cloudasset.assets.exportMetastoreMetadataImports

cloudasset.assets.exportMetastoreServices

cloudasset.assets.exportMonitoringAlertPolicies

cloudasset.assets.exportNetworkConnectivityHubs

cloudasset.assets.exportNetworkConnectivitySpokes

cloudasset.assets.exportNetworkManagementConnectivityTests

cloudasset.assets.exportNetworkServicesEndpointPolicies

cloudasset.assets.exportNetworkServicesGateways

cloudasset.assets.exportNetworkServicesGrpcRoutes

cloudasset.assets.exportNetworkServicesHttpRoutes

cloudasset.assets.exportNetworkServicesMeshes

cloudasset.assets.exportNetworkServicesServiceBindings

cloudasset.assets.exportNetworkServicesTcpRoutes

cloudasset.assets.exportNetworkServicesTlsRoutes

cloudasset.assets.exportOSConfigOSPolicyAssignmentReports

cloudasset.assets.exportOSConfigOSPolicyAssignments

cloudasset.assets.exportOSConfigVulnerabilityReports

cloudasset.assets.exportOSInventories

cloudasset.assets.exportOrgPolicy

cloudasset.assets.exportPatchDeployments

cloudasset.assets.exportPubsubSnapshots

cloudasset.assets.exportPubsubSubscriptions

cloudasset.assets.exportPubsubTopics

cloudasset.assets.exportRedisInstances

cloudasset.assets.exportResource

cloudasset.assets.exportSecretManagerSecretVersions

cloudasset.assets.exportSecretManagerSecrets

cloudasset.assets.exportServiceDirectoryNamespaces

cloudasset.assets.exportServicePerimeter

cloudasset.assets.exportServiceconsumermanagementConsumerProperty

cloudasset.assets.exportServiceconsumermanagementConsumerQuotaLimits

cloudasset.assets.exportServiceconsumermanagementConsumers

cloudasset.assets.exportServiceconsumermanagementProducerOverrides

cloudasset.assets.exportServiceconsumermanagementTenancyUnits

cloudasset.assets.exportServiceconsumermanagementVisibility

cloudasset.assets.exportServicemanagementServices

cloudasset.assets.exportServiceusageAdminOverrides

cloudasset.assets.exportServiceusageConsumerOverrides

cloudasset.assets.exportServiceusageServices

cloudasset.assets.exportSpannerBackups

cloudasset.assets.exportSpannerDatabases

cloudasset.assets.exportSpannerInstances

cloudasset.assets.exportSpeakerIdPhrases

cloudasset.assets.exportSpeakerIdSettings

cloudasset.assets.exportSpeakerIdSpeakers

cloudasset.assets.exportSpeechCustomClasses

cloudasset.assets.exportSpeechPhraseSets

cloudasset.assets.exportSqladminBackupRuns

cloudasset.assets.exportSqladminInstances

cloudasset.assets.exportStorageBuckets

cloudasset.assets.exportTpuNodes

cloudasset.assets.exportVpcaccessConnector

cloudasset.assets.listAccessLevel

cloudasset.assets.listAccessPolicy

cloudasset.assets.listAiplatformBatchPredictionJobs

cloudasset.assets.listAiplatformCustomJobs

cloudasset.assets.listAiplatformDataLabelingJobs

cloudasset.assets.listAiplatformDatasets

cloudasset.assets.listAiplatformEndpoints

cloudasset.assets.listAiplatformHyperparameterTuningJobs

cloudasset.assets.listAiplatformMetadataStores

cloudasset.assets.listAiplatformModelDeploymentMonitoringJobs

cloudasset.assets.listAiplatformModels

cloudasset.assets.listAiplatformPipelineJobs

cloudasset.assets.listAiplatformSpecialistPools

cloudasset.assets.listAiplatformTrainingPipelines

cloudasset.assets.listAllAccessPolicy

cloudasset.assets.listAnthosConnectedCluster

cloudasset.assets.listAnthosedgeCluster

cloudasset.assets.listApigatewayApi

cloudasset.assets.listApigatewayApiConfig

cloudasset.assets.listApigatewayGateway

cloudasset.assets.listApikeysKeys

cloudasset.assets.listAppengineApplications

cloudasset.assets.listAppengineServices

cloudasset.assets.listAppengineVersions

cloudasset.assets.listArtifactregistryDockerImages

cloudasset.assets.listArtifactregistryRepositories

cloudasset.assets.listAssuredWorkloadsWorkloads

cloudasset.assets.listBeyondCorpApiGateways

cloudasset.assets.listBeyondCorpAppConnections

cloudasset.assets.listBeyondCorpAppConnectors

cloudasset.assets.listBeyondCorpAppGateways

cloudasset.assets.listBeyondCorpClientConnectorServices

cloudasset.assets.listBeyondCorpClientGateways

cloudasset.assets.listBigqueryDatasets

cloudasset.assets.listBigqueryModels

cloudasset.assets.listBigqueryTables

cloudasset.assets.listBigtableAppProfile

cloudasset.assets.listBigtableBackup

cloudasset.assets.listBigtableCluster

cloudasset.assets.listBigtableInstance

cloudasset.assets.listBigtableTable

cloudasset.assets.listCloudAssetFeeds

cloudasset.assets.listCloudDeployDeliveryPipelines

cloudasset.assets.listCloudDeployReleases

cloudasset.assets.listCloudDeployRollouts

cloudasset.assets.listCloudDeployTargets

cloudasset.assets.listCloudDocumentAIEvaluation

cloudasset.assets.listCloudDocumentAIHumanReviewConfig

cloudasset.assets.listCloudDocumentAILabelerPool

cloudasset.assets.listCloudDocumentAIProcessor

cloudasset.assets.listCloudDocumentAIProcessorVersion

cloudasset.assets.listCloudbillingBillingAccounts

cloudasset.assets.listCloudbillingProjectBillingInfos

cloudasset.assets.listCloudfunctionsFunctions

cloudasset.assets.listCloudfunctionsGen2Functions

cloudasset.assets.listCloudkmsCryptoKeyVersions

cloudasset.assets.listCloudkmsCryptoKeys

cloudasset.assets.listCloudkmsEkmConnections

cloudasset.assets.listCloudkmsImportJobs

cloudasset.assets.listCloudkmsKeyRings

cloudasset.assets.listCloudmemcacheInstances

cloudasset.assets.listCloudresourcemanagerFolders

cloudasset.assets.listCloudresourcemanagerOrganizations

cloudasset.assets.listCloudresourcemanagerProjects

cloudasset.assets.listCloudresourcemanagerTagBindings

cloudasset.assets.listCloudresourcemanagerTagKeys

cloudasset.assets.listCloudresourcemanagerTagValues

cloudasset.assets.listComposerEnvironments

cloudasset.assets.listComputeAddress

cloudasset.assets.listComputeAutoscalers

cloudasset.assets.listComputeBackendBuckets

cloudasset.assets.listComputeBackendServices

cloudasset.assets.listComputeCommitments

cloudasset.assets.listComputeDisks

cloudasset.assets.listComputeExternalVpnGateways

cloudasset.assets.listComputeFirewallPolicies

cloudasset.assets.listComputeFirewalls

cloudasset.assets.listComputeForwardingRules

cloudasset.assets.listComputeGlobalAddress

cloudasset.assets.listComputeGlobalForwardingRules

cloudasset.assets.listComputeHealthChecks

cloudasset.assets.listComputeHttpHealthChecks

cloudasset.assets.listComputeHttpsHealthChecks

cloudasset.assets.listComputeImages

cloudasset.assets.listComputeInstanceGroupManagers

cloudasset.assets.listComputeInstanceGroups

cloudasset.assets.listComputeInstanceTemplates

cloudasset.assets.listComputeInstances

cloudasset.assets.listComputeInterconnect

cloudasset.assets.listComputeInterconnectAttachment

cloudasset.assets.listComputeLicenses

cloudasset.assets.listComputeNetworkEndpointGroups

cloudasset.assets.listComputeNetworks

cloudasset.assets.listComputeNodeGroups

cloudasset.assets.listComputeNodeTemplates

cloudasset.assets.listComputePacketMirrorings

cloudasset.assets.listComputeProjects

cloudasset.assets.listComputeRegionAutoscaler

cloudasset.assets.listComputeRegionBackendServices

cloudasset.assets.listComputeRegionDisk

cloudasset.assets.listComputeRegionInstanceGroup

cloudasset.assets.listComputeRegionInstanceGroupManager

cloudasset.assets.listComputeReservations

cloudasset.assets.listComputeResourcePolicies

cloudasset.assets.listComputeRouters

cloudasset.assets.listComputeRoutes

cloudasset.assets.listComputeSecurityPolicy

cloudasset.assets.listComputeServiceAttachments

cloudasset.assets.listComputeSnapshots

cloudasset.assets.listComputeSslCertificates

cloudasset.assets.listComputeSslPolicies

cloudasset.assets.listComputeSubnetworks

cloudasset.assets.listComputeTargetHttpProxies

cloudasset.assets.listComputeTargetHttpsProxies

cloudasset.assets.listComputeTargetInstances

cloudasset.assets.listComputeTargetPools

cloudasset.assets.listComputeTargetSslProxies

cloudasset.assets.listComputeTargetTcpProxies

cloudasset.assets.listComputeTargetVpnGateways

cloudasset.assets.listComputeUrlMaps

cloudasset.assets.listComputeVpnGateways

cloudasset.assets.listComputeVpnTunnels

cloudasset.assets.listConnectorsConnections

cloudasset.assets.listConnectorsConnectorVersions

cloudasset.assets.listConnectorsConnectors

cloudasset.assets.listConnectorsProviders

cloudasset.assets.listConnectorsRuntimeConfigs

cloudasset.assets.listContainerAppsDeployment

cloudasset.assets.listContainerAppsReplicaSets

cloudasset.assets.listContainerBatchJobs

cloudasset.assets.listContainerClusterrole

cloudasset.assets.listContainerClusterrolebinding

cloudasset.assets.listContainerClusters

cloudasset.assets.listContainerExtensionsIngresses

cloudasset.assets.listContainerJobs

cloudasset.assets.listContainerNamespace

cloudasset.assets.listContainerNetworkingIngresses

cloudasset.assets.listContainerNetworkingNetworkPolicies

cloudasset.assets.listContainerNode

cloudasset.assets.listContainerNodepool

cloudasset.assets.listContainerPod

cloudasset.assets.listContainerReplicaSets

cloudasset.assets.listContainerRole

cloudasset.assets.listContainerRolebinding

cloudasset.assets.listContainerServices

cloudasset.assets.listContainerregistryImage

cloudasset.assets.listDataMigrationConnectionProfiles

cloudasset.assets.listDataMigrationMigrationJobs

cloudasset.assets.listDataflowJobs

cloudasset.assets.listDatafusionInstance

cloudasset.assets.listDataplexAssets

cloudasset.assets.listDataplexLakes

cloudasset.assets.listDataplexTasks

cloudasset.assets.listDataplexZones

cloudasset.assets.listDataprocAutoscalingPolicies

cloudasset.assets.listDataprocBatches

cloudasset.assets.listDataprocClusters

cloudasset.assets.listDataprocJobs

cloudasset.assets.listDataprocSessions

cloudasset.assets.listDataprocWorkflowTemplates

cloudasset.assets.listDatastreamConnectionProfile

cloudasset.assets.listDatastreamPrivateConnection

cloudasset.assets.listDatastreamStream

cloudasset.assets.listDialogflowAgents

cloudasset.assets.listDialogflowConversationProfiles

cloudasset.assets.listDialogflowKnowledgeBases

cloudasset.assets.listDialogflowLocationSettings

cloudasset.assets.listDlpDeidentifyTemplates

cloudasset.assets.listDlpDlpJobs

cloudasset.assets.listDlpInspectTemplates

cloudasset.assets.listDlpJobTriggers

cloudasset.assets.listDlpStoredInfoTypes

cloudasset.assets.listDnsManagedZones

cloudasset.assets.listDnsPolicies

cloudasset.assets.listDomainsRegistrations

cloudasset.assets.listEventarcTriggers

cloudasset.assets.listFileBackups

cloudasset.assets.listFileInstances

cloudasset.assets.listFirebaseAppInfos

cloudasset.assets.listFirebaseProjects

cloudasset.assets.listFirestoreDatabases

cloudasset.assets.listGKEHubFeatures

cloudasset.assets.listGKEHubMemberships

cloudasset.assets.listGameservicesGameServerClusters

cloudasset.assets.listGameservicesGameServerConfigs

cloudasset.assets.listGameservicesGameServerDeployments

cloudasset.assets.listGameservicesRealms

cloudasset.assets.listGkeBackupBackupPlans

cloudasset.assets.listGkeBackupBackups

cloudasset.assets.listGkeBackupRestorePlans

cloudasset.assets.listGkeBackupRestores

cloudasset.assets.listGkeBackupVolumeBackups

cloudasset.assets.listGkeBackupVolumeRestores

cloudasset.assets.listHealthcareConsentStores

cloudasset.assets.listHealthcareDatasets

cloudasset.assets.listHealthcareDicomStores

cloudasset.assets.listHealthcareFhirStores

cloudasset.assets.listHealthcareHl7V2Stores

cloudasset.assets.listIamPolicy

cloudasset.assets.listIamRoles

cloudasset.assets.listIamServiceAccountKeys

cloudasset.assets.listIamServiceAccounts

cloudasset.assets.listIapTunnel

cloudasset.assets.listIapTunnelInstances

cloudasset.assets.listIapTunnelZones

cloudasset.assets.listIapWeb

cloudasset.assets.listIapWebServiceVersion

cloudasset.assets.listIapWebServices

cloudasset.assets.listIapWebType

cloudasset.assets.listIdsEndpoints

cloudasset.assets.listIntegrationsAuthConfigs

cloudasset.assets.listIntegrationsCertificates

cloudasset.assets.listIntegrationsExecutions

cloudasset.assets.listIntegrationsIntegrationVersions

cloudasset.assets.listIntegrationsIntegrations

cloudasset.assets.listIntegrationsSfdcChannels

cloudasset.assets.listIntegrationsSfdcInstances

cloudasset.assets.listIntegrationsSuspensions

cloudasset.assets.listLoggingLogMetrics

cloudasset.assets.listLoggingLogSinks

cloudasset.assets.listManagedidentitiesDomain

cloudasset.assets.listMetastoreBackups

cloudasset.assets.listMetastoreMetadataImports

cloudasset.assets.listMetastoreServices

cloudasset.assets.listMonitoringAlertPolicies

cloudasset.assets.listNetworkConnectivityHubs

cloudasset.assets.listNetworkConnectivitySpokes

cloudasset.assets.listNetworkManagementConnectivityTests

cloudasset.assets.listNetworkServicesEndpointPolicies

cloudasset.assets.listNetworkServicesGateways

cloudasset.assets.listNetworkServicesGrpcRoutes

cloudasset.assets.listNetworkServicesHttpRoutes

cloudasset.assets.listNetworkServicesMeshes

cloudasset.assets.listNetworkServicesServiceBindings

cloudasset.assets.listNetworkServicesTcpRoutes

cloudasset.assets.listNetworkServicesTlsRoutes

cloudasset.assets.listOSConfigOSPolicyAssignmentReports

cloudasset.assets.listOSConfigOSPolicyAssignments

cloudasset.assets.listOSConfigVulnerabilityReports

cloudasset.assets.listOSInventories

cloudasset.assets.listOrgPolicy

cloudasset.assets.listPatchDeployments

cloudasset.assets.listPubsubSnapshots

cloudasset.assets.listPubsubSubscriptions

cloudasset.assets.listPubsubTopics

cloudasset.assets.listRedisInstances

cloudasset.assets.listResource

cloudasset.assets.listRunDomainMapping

cloudasset.assets.listRunRevision

cloudasset.assets.listRunService

cloudasset.assets.listSecretManagerSecretVersions

cloudasset.assets.listSecretManagerSecrets

cloudasset.assets.listServiceDirectoryNamespaces

cloudasset.assets.listServicePerimeter

cloudasset.assets.listServiceconsumermanagementConsumerProperty

cloudasset.assets.listServiceconsumermanagementConsumerQuotaLimits

cloudasset.assets.listServiceconsumermanagementConsumers

cloudasset.assets.listServiceconsumermanagementProducerOverrides

cloudasset.assets.listServiceconsumermanagementTenancyUnits

cloudasset.assets.listServiceconsumermanagementVisibility

cloudasset.assets.listServicemanagementServices

cloudasset.assets.listServiceusageAdminOverrides

cloudasset.assets.listServiceusageConsumerOverrides

cloudasset.assets.listServiceusageServices

cloudasset.assets.listSpannerBackups

cloudasset.assets.listSpannerDatabases

cloudasset.assets.listSpannerInstances

cloudasset.assets.listSpeakerIdPhrases

cloudasset.assets.listSpeakerIdSettings

cloudasset.assets.listSpeakerIdSpeakers

cloudasset.assets.listSpeechCustomClasses

cloudasset.assets.listSpeechPhraseSets

cloudasset.assets.listSqladminBackupRuns

cloudasset.assets.listSqladminInstances

cloudasset.assets.listStorageBuckets

cloudasset.assets.listTpuNodes

cloudasset.assets.listVpcaccessConnector

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.feeds.*

  • cloudasset.feeds.create
  • cloudasset.feeds.delete
  • cloudasset.feeds.get
  • cloudasset.feeds.list
  • cloudasset.feeds.update

cloudasset.othercloudconnections.get

cloudasset.othercloudconnections.list

cloudasset.othercloudconnections.verify

cloudsql.instances.connect

cloudsql.users.list

compute.disks.useReadOnly

compute.globalOperations.get

compute.instances.get

compute.instances.list

compute.networkEndpointGroups.get

compute.projects.get

compute.regionOperations.get

compute.zoneOperations.get

container.clusters.get

iam.denypolicies.get

iam.denypolicies.list

iam.googleapis.com/workloadIdentityPoolProviders.list

iam.googleapis.com/workloadIdentityPools.list

logging.logEntries.list

monitoring.alertPolicies.list

monitoring.timeSeries.list

orgpolicy.policies.list

orgpolicy.policy.get

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

recommender.locations.*

  • recommender.locations.get
  • recommender.locations.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.assets.list

securitycenter.assetsecuritymarks.update

securitycenter.findings.list

securitycenter.notificationconfig.create

securitycenter.notificationconfig.delete

securitycenter.notificationconfig.update

securitycenter.organizationsettings.get

securitycenter.resourcevalueconfigs.get

securitycenter.resourcevalueconfigs.list

securitycenter.simulations.get

securitycenter.sources.list

securitycenter.valuedresources.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.update

serviceusage.quotas.get

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

stackdriver.projects.get

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

(roles/securitycenter.settingsAdmin)

Admin(super user) access to security center settings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

securitycenter.billingtier.update

securitycenter.containerthreatdetectionsettings.*

  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.containerthreatdetectionsettings.update

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.*

  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.update

securitycenter.integratedvulnerabilityscannersettings.*

  • securitycenter.integratedvulnerabilityscannersettings.calculate
  • securitycenter.integratedvulnerabilityscannersettings.get
  • securitycenter.integratedvulnerabilityscannersettings.update

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.organizationsettings.*

  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update

securitycenter.rapidvulnerabilitydetectionsettings.*

  • securitycenter.rapidvulnerabilitydetectionsettings.calculate
  • securitycenter.rapidvulnerabilitydetectionsettings.get
  • securitycenter.rapidvulnerabilitydetectionsettings.update

securitycenter.securitycentersettings.*

  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update

securitycenter.securityhealthanalyticscustommodules.create

securitycenter.securityhealthanalyticscustommodules.delete

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.update

securitycenter.securityhealthanalyticssettings.*

  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.*

  • securitycenter.virtualmachinethreatdetectionsettings.calculate
  • securitycenter.virtualmachinethreatdetectionsettings.get
  • securitycenter.virtualmachinethreatdetectionsettings.update

securitycenter.websecurityscannersettings.*

  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • securitycenter.websecurityscannersettings.update

securitycentermanagement.*

  • securitycentermanagement.billingMetadata.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.checkOnboardingStatus
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycenter.settingsEditor)

Read-Write access to security center settings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

securitycenter.billingtier.update

securitycenter.containerthreatdetectionsettings.*

  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.containerthreatdetectionsettings.update

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.*

  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.update

securitycenter.integratedvulnerabilityscannersettings.*

  • securitycenter.integratedvulnerabilityscannersettings.calculate
  • securitycenter.integratedvulnerabilityscannersettings.get
  • securitycenter.integratedvulnerabilityscannersettings.update

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.organizationsettings.*

  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update

securitycenter.rapidvulnerabilitydetectionsettings.*

  • securitycenter.rapidvulnerabilitydetectionsettings.calculate
  • securitycenter.rapidvulnerabilitydetectionsettings.get
  • securitycenter.rapidvulnerabilitydetectionsettings.update

securitycenter.securitycentersettings.*

  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update

securitycenter.securityhealthanalyticscustommodules.create

securitycenter.securityhealthanalyticscustommodules.delete

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.update

securitycenter.securityhealthanalyticssettings.*

  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.*

  • securitycenter.virtualmachinethreatdetectionsettings.calculate
  • securitycenter.virtualmachinethreatdetectionsettings.get
  • securitycenter.virtualmachinethreatdetectionsettings.update

securitycenter.websecurityscannersettings.*

  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • securitycenter.websecurityscannersettings.update

securitycentermanagement.*

  • securitycentermanagement.billingMetadata.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.checkOnboardingStatus
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycenter.settingsViewer)

Read access to security center settings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.billingMetadata.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.checkActivationOperation

securitycentermanagement.securityCommandCenter.checkOnboardingStatus

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycenter.simulationsViewer)

Read access to security center simulations

securitycenter.simulations.get

(roles/securitycenter.sourcesAdmin)

Admin access to sources

Lowest-level resources where you can grant this role:

  • Organization

resourcemanager.organizations.get

securitycenter.sources.*

  • securitycenter.sources.get
  • securitycenter.sources.getIamPolicy
  • securitycenter.sources.list
  • securitycenter.sources.setIamPolicy
  • securitycenter.sources.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.sourcesEditor)

Read-write access to sources

Lowest-level resources where you can grant this role:

  • Organization

resourcemanager.organizations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.sources.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.sourcesViewer)

Read access to sources

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.organizations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.userinterfacemetadata.get

(roles/securitycenter.valuedResourcesViewer)

Read access to security center valued resources

securitycenter.valuedresources.list

Security Command Center Management API 角色

下列 IAM 角色適用於 Security Command Center Management API。您可以在機構、資料夾或專案層級授予這些角色。

Role Permissions

(roles/securitycentermanagement.admin)

Full access to manage Cloud Security Command Center services and custom modules configuration.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.organizationsettings.*

  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update

securitycenter.securitycentersettings.*

  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update

securitycentermanagement.*

  • securitycentermanagement.billingMetadata.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.checkOnboardingStatus
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycentermanagement.customModulesEditor)

Full access to manage Cloud Security Command Center custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.*

  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.*

  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycentermanagement.customModulesViewer)

Readonly access to Cloud Security Command Center custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycentermanagement.etdCustomModulesEditor)

Full access to manage Cloud Security Command Center ETD custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.*

  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

(roles/securitycentermanagement.etdCustomModulesViewer)

Readonly access to Cloud Security Command Center ETD custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

(roles/securitycentermanagement.securityCenterServicesEditor)

Full access to manage Cloud Security Command Center services configuration.

securitycentermanagement.securityCenterServices.*

  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update

(roles/securitycentermanagement.securityCenterServicesViewer)

Readonly access to Cloud Security Command Center services configuration.

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

(roles/securitycentermanagement.settingsEditor)

Full access to manage Cloud Security Command Center settings

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.organizationsettings.*

  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update

securitycenter.securitycentersettings.*

  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update

securitycentermanagement.*

  • securitycentermanagement.billingMetadata.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.checkOnboardingStatus
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycentermanagement.settingsViewer)

Readonly access to Cloud Security Command Center settings

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.organizationsettings.get

securitycenter.securitycentersettings.get

securitycentermanagement.billingMetadata.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.checkActivationOperation

securitycentermanagement.securityCommandCenter.checkOnboardingStatus

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycentermanagement.shaCustomModulesEditor)

Full access to manage Cloud Security Command Center SHA custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.*

  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycentermanagement.shaCustomModulesViewer)

Readonly access to Cloud Security Command Center SHA custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycentermanagement.viewer)

Readonly access to Cloud Security Command Center services and custom modules configuration.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.organizationsettings.get

securitycenter.securitycentersettings.get

securitycentermanagement.billingMetadata.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.checkActivationOperation

securitycentermanagement.securityCommandCenter.checkOnboardingStatus

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

安全防護機制 API 角色

下列 IAM 角色適用於安全防護機制 API 和基礎架構即程式碼 (IaC) 驗證功能。除非另有說明,否則您可以在機構、資料夾或專案層級授予這些角色。

Role Permissions

(roles/securityposture.admin)

Full access to Security Posture service APIs.

Lowest-level resources where you can grant this role:

  • Organization

orgpolicy.*

  • orgpolicy.constraints.list
  • orgpolicy.customConstraints.create
  • orgpolicy.customConstraints.delete
  • orgpolicy.customConstraints.get
  • orgpolicy.customConstraints.list
  • orgpolicy.customConstraints.update
  • orgpolicy.policies.create
  • orgpolicy.policies.delete
  • orgpolicy.policies.list
  • orgpolicy.policies.update
  • orgpolicy.policy.get
  • orgpolicy.policy.set

resourcemanager.organizations.get

securitycenter.securityhealthanalyticssettings.*

  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.update

securityposture.*

  • securityposture.locations.get
  • securityposture.locations.list
  • securityposture.operations.delete
  • securityposture.operations.get
  • securityposture.operations.list
  • securityposture.postureDeployments.create
  • securityposture.postureDeployments.delete
  • securityposture.postureDeployments.get
  • securityposture.postureDeployments.list
  • securityposture.postureDeployments.update
  • securityposture.postureTemplates.get
  • securityposture.postureTemplates.list
  • securityposture.postures.create
  • securityposture.postures.delete
  • securityposture.postures.extract
  • securityposture.postures.get
  • securityposture.postures.list
  • securityposture.postures.update
  • securityposture.reports.create
  • securityposture.reports.get
  • securityposture.reports.list

(roles/securityposture.postureDeployer)

Mutate and read permissions to the Posture Deployment resource.

orgpolicy.*

  • orgpolicy.constraints.list
  • orgpolicy.customConstraints.create
  • orgpolicy.customConstraints.delete
  • orgpolicy.customConstraints.get
  • orgpolicy.customConstraints.list
  • orgpolicy.customConstraints.update
  • orgpolicy.policies.create
  • orgpolicy.policies.delete
  • orgpolicy.policies.list
  • orgpolicy.policies.update
  • orgpolicy.policy.get
  • orgpolicy.policy.set

resourcemanager.organizations.get

securitycenter.securityhealthanalyticssettings.*

  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.update

securityposture.operations.get

securityposture.postureDeployments.*

  • securityposture.postureDeployments.create
  • securityposture.postureDeployments.delete
  • securityposture.postureDeployments.get
  • securityposture.postureDeployments.list
  • securityposture.postureDeployments.update

(roles/securityposture.postureDeploymentsViewer)

Read only access to the Posture Deployment resource.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postureDeployments.get

securityposture.postureDeployments.list

(roles/securityposture.postureEditor)

Mutate and read permissions to the Posture resource.

securityposture.operations.get

securityposture.postures.*

  • securityposture.postures.create
  • securityposture.postures.delete
  • securityposture.postures.extract
  • securityposture.postures.get
  • securityposture.postures.list
  • securityposture.postures.update

(roles/securityposture.postureViewer)

Read only access to the Posture resource.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postures.get

securityposture.postures.list

(roles/securityposture.reportCreator)

Create access for Reports, e.g. IaC Validation Report.

securityposture.operations.get

securityposture.reports.*

  • securityposture.reports.create
  • securityposture.reports.get
  • securityposture.reports.list

(roles/securityposture.viewer)

Read only access to all the SecurityPosture Service resources.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postureDeployments.get

securityposture.postureDeployments.list

securityposture.postureTemplates.*

  • securityposture.postureTemplates.get
  • securityposture.postureTemplates.list

securityposture.postures.get

securityposture.postures.list

服務代理人角色

服務代理可讓服務存取您的資源。

啟用 Security Command Center 後,系統會為您建立兩個服務代理程式:

  • service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com

    這個服務代理程式需要 roles/securitycenter.serviceAgent身分與存取權管理角色。

  • service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com

    這個服務代理程式需要 roles/containerthreatdetection.serviceAgent身分與存取權管理角色。

在 Security Command Center 的啟用程序中,系統會提示您將一或多個必要的 IAM 角色授予每個服務代理程式。您必須將角色授予每個服務代理程式,Security Command Center 才能正常運作。

如要查看每個角色的權限,請參閱下列內容:

如要授予角色,您必須具備 roles/resourcemanager.organizationAdmin 角色。

如果您沒有 roles/resourcemanager.organizationAdmin 角色,貴機構的管理員可以透過下列 gcloud CLI 指令,為您授予服務代理角色:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
    --member="SERVICE_AGENT_NAME" \
    --role="IAM_ROLE"

更改下列內容:

  • ORGANIZATION_ID:您的機構 ID
  • SERVICE_AGENT_NAME:您要授予角色的服務代理程式名稱。名稱必須是下列其中一個服務代理名稱:
    • service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com
    • service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
  • IAM_ROLE:與指定服務代理相應的下列必要角色:
    • roles/securitycenter.serviceAgent
    • roles/containerthreatdetection.serviceAgent

如要進一步瞭解 IAM 角色,請參閱瞭解角色

Web Security Scanner 角色

Web Security Scanner 提供下列 IAM 角色。您可以在專案層級授予這些角色。

Role Permissions

(roles/cloudsecurityscanner.editor)

Full access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

cloudsecurityscanner.*

  • cloudsecurityscanner.crawledurls.list
  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.create
  • cloudsecurityscanner.scans.delete
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
  • cloudsecurityscanner.scans.update

compute.addresses.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/cloudsecurityscanner.runner)

Read access to Scan and ScanRun, plus the ability to start scans

Lowest-level resources where you can grant this role:

  • Project

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scanruns.stop

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

cloudsecurityscanner.scans.run

(roles/cloudsecurityscanner.viewer)

Read access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

  • Project

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.*

  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.getSummary

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/websecurityscanner.serviceAgent)

Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details.

appengine.applications.get

cloudasset.assets.listResource

compute.addresses.list

compute.backendServices.get

compute.forwardingRules.get

compute.globalForwardingRules.get

compute.sslCertificates.list

compute.targetHttpProxies.get

compute.targetHttpsProxies.get

compute.urlMaps.get