本頁說明如何使用 Identity and Access Management (IAM),控管在機構層級啟用 Security Command Center 後的資源存取權。如果符合下列任一條件,本頁內容就適用於你:
- Security Command Center 是在機構層級啟用,而非專案層級。
- 機構層級已啟用 Security Command Center Standard。 此外,您已在一個或多個專案中啟用 Security Command Center Premium。
如果您是在專案層級啟用 Security Command Center,而非機構層級,請改為參閱「專案層級啟用適用的 IAM」。
在組織層級啟用 Security Command Center 時,您可以控管資源階層中不同層級的資源存取權。Security Command Center 會使用 IAM 角色,控管哪些人員可以在 Security Command Center 環境中,對資產、發現項目和安全性來源執行哪些操作。您可以將角色授予個人和應用程式,每個角色都提供特定權限。
權限
如要設定 Security Command Center 或變更機構的設定,您必須在機構層級同時具備下列角色:
- 機構管理員 (
roles/resourcemanager.organizationAdmin
) - 安全中心管理員 (
roles/securitycenter.admin
)
如果使用者不需要編輯權限,請考慮授予檢視者角色。
如要在 Security Command Center 中查看所有資產、發現項目和攻擊路徑,使用者必須具備組織層級的安全中心管理員檢視者 (roles/securitycenter.adminViewer
) 角色。
如要查看設定,使用者必須在機構層級具備安全中心管理員 (roles/securitycenter.admin
) 角色。
如要限制個別資料夾和專案的存取權,請勿在機構層級授予所有角色。請改為在資料夾 或 專案層級授予下列角色:
- 安全中心資產檢視者 (
roles/securitycenter.assetsViewer
) - 安全中心發現項目檢視者 (
roles/securitycenter.findingsViewer
)
如果您使用 Security Command Center Enterprise,請參閱「Security Command Center Enterprise 控制台」,瞭解其他必要角色。
機構層級角色
在機構層級套用 IAM 角色時,該機構下的專案和資料夾會沿用其角色繫結。
下圖說明一般的 Security Command Center 資源階層,並顯示在機構層級授予的角色。

IAM 角色包含檢視、編輯、更新、建立或刪除資源的權限。在 Security Command Center 中,於機構層級授予的角色可讓您在整個機構中,對發現項目、資產和安全性來源執行指定動作。舉例來說,如果使用者獲派「安全中心發現項目編輯者」角色 (roles/securitycenter.findingsEditor
),就能查看或編輯貴機構中任何專案或資料夾內,附加至任何資源的發現項目。採用這種結構後,您不必在每個資料夾或專案中授予使用者角色。
如需管理角色和權限的操作說明,請參閱「管理專案、資料夾和機構的存取權」一文。
機構層級角色不適用於所有用途,特別是需要嚴格存取控管的敏感應用程式或法規遵循標準。如要建立精細的存取權政策,您可以在資料夾和專案層級授予角色。
資料夾層級和專案層級角色
您可以透過 Security Command Center,為特定資料夾和專案授予 Security Command Center IAM 角色,在機構內建立多個檢視畫面或資訊孤島。您可以為機構中的使用者和群組授予不同的資料夾和專案存取權及編輯權限。
以下影片說明如何授予資料夾層級和專案層級的角色,以及如何在 Security Command Center 控制台中管理這些角色。
透過資料夾和專案角色,具備 Security Command Center 角色的使用者可以管理指定專案或資料夾中的資產和發現項目。舉例來說,安全工程師可以獲得特定資料夾和專案的有限存取權,而安全管理員則可管理機構層級的所有資源。
資料夾和專案角色可讓您在機構資源階層的較低層級套用 Security Command Center 權限,但不會變更階層。下圖說明使用者如何透過 Security Command Center 權限,存取特定專案的發現項目。

具有資料夾和專案角色的使用者會看到機構資源的子集。 他們只能在相同範圍內執行動作。舉例來說,如果使用者擁有資料夾的權限,就能存取該資料夾中任何專案的資源。專案權限可讓使用者存取該專案中的資源。
如需管理角色和權限的操作說明,請參閱「管理專案、資料夾和機構的存取權」一文。
角色限制
在資料夾或專案層級授予 Security Command Center 角色後,Security Command Center 管理員可以執行下列操作:
- 將 Security Command Center 的檢視或編輯權限限制在特定資料夾和專案
- 授予特定使用者或團隊資產或調查結果的查看和編輯權限
- 限制個人或群組查看或編輯發現項目詳細資料 (包括安全性標記和發現項目狀態的更新),但可允許存取基礎發現項目
- 控管 Security Command Center 設定的存取權,只有具備機構層級角色的使用者才能查看
Security Command Center 功能
此外,Security Command Center 的功能也會根據檢視和編輯權限受到限制。
在 Google Cloud 控制台中,Security Command Center 可讓沒有機構層級權限的使用者,只選擇他們有權存取的資源。選取後,使用者介面的所有元素都會更新,包括資產、發現項目和設定控制項。使用者可查看角色所具備的權限,以及是否能在目前範圍存取或編輯調查結果。
Security Command Center API 和 Google Cloud CLI 也會將函式限制在指定資料夾和專案中。如果使用者獲派資料夾或專案角色,並呼叫列出或分組資產和調查結果,系統只會傳回這些範圍內的調查結果或資產。
在機構層級啟用 Security Command Center 時,建立或更新發現項目和發現項目通知的呼叫只支援機構範圍。您需要機構層級的角色才能執行這些工作。
如要查看攻擊路徑模擬產生的攻擊路徑,必須在機構層級授予適當權限,並將 Google Cloud 控制台檢視畫面設為機構。
發現項目的家長資源
通常,發現項目會附加至資源,例如虛擬機器 (VM) 或防火牆。Security Command Center 會將發現項目附加至產生發現項目的資源最直接的容器。舉例來說,如果 VM 產生了調查結果,該結果就會附加至包含 VM 的專案。未連結至 Google Cloud 資源的發現項目會附加至機構,且具備機構層級 Security Command Center 權限的使用者都能查看。
Security Command Center 角色
Security Command Center 提供下列 IAM 角色。您可以在機構、資料夾或專案層級授予這些角色。
Role | Permissions |
---|---|
Security Center Admin( Admin(super user) access to security center Lowest-level resources where you can grant this role:
|
|
Security Center Admin Editor( Admin Read-write access to security center Lowest-level resources where you can grant this role:
|
|
Security Center Admin Viewer( Admin Read access to security center Lowest-level resources where you can grant this role:
|
|
Security Center Asset Security Marks Writer( Write access to asset security marks Lowest-level resources where you can grant this role:
|
|
Security Center Assets Discovery Runner( Run asset discovery access to assets Lowest-level resources where you can grant this role:
|
|
Security Center Assets Viewer( Read access to assets Lowest-level resources where you can grant this role:
|
|
Security Center Attack Paths Reader( Read access to security center attack paths |
|
Attack Surface Management Scanner Service Agent( Gives Mandiant Attack Surface Management the ability to scan Cloud Platform resources. |
|
Security Center Automation Service Agent( Security Center automation service agent can configure GCP resources to enable security scanning. |
|
Security Center BigQuery Exports Editor( Read-Write access to security center BigQuery Exports |
|
Security Center BigQuery Exports Viewer( Read access to security center BigQuery Exports |
|
Security Center Compliance Reports Viewer Beta( Read access to security center compliance reports |
|
Security Center Compliance Snapshots Viewer Beta( Read access to security center compliance snapshots |
|
Security Center Control Service Agent( Security Center Control service agent can monitor and configure GCP resources and import security findings. |
|
Security Center External Systems Editor( Write access to security center external systems |
|
Security Center Finding Security Marks Writer( Write access to finding security marks Lowest-level resources where you can grant this role:
|
|
Security Center Findings Bulk Mute Editor( Ability to mute findings in bulk |
|
Security Center Findings Editor( Read-write access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Findings Mute Setter( Set mute access to findings |
|
Security Center Findings State Setter( Set state access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Findings Viewer( Read access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Findings Workflow State Setter Beta( Set workflow state access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Integration Executor Service Agent( Gives Security Center access to execute Integrations. |
|
Security Center Issues Editor( Write access to security center issues |
|
Security Center Issues Viewer( Read access to security center issues |
|
Security Center Mute Configurations Editor( Read-Write access to security center mute configurations |
|
Security Center Mute Configurations Viewer( Read access to security center mute configurations |
|
Security Center Notification Configurations Editor( Write access to notification configurations Lowest-level resources where you can grant this role:
|
|
Security Center Notification Configurations Viewer( Read access to notification configurations Lowest-level resources where you can grant this role:
|
|
Security Center Notification Service Agent( Security Center service agent can publish notifications to Pub/Sub topics. |
|
Security Center Resource Value Configurations Editor( Read-Write access to security center resource value configurations |
|
Security Center Resource Value Configurations Viewer( Read access to security center resource value configurations |
|
Security Health Analytics Custom Modules Tester( Test access to Security Health Analytics Custom Modules |
|
Security Health Analytics Service Agent( Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities. |
|
Google Cloud Security Response Service Agent( Gives Playbook Runner permissions to execute all Google authored Playbooks. This role will keep evolving as we add more playbooks |
|
Security Center Service Agent( Security Center service agent can scan GCP resources and import security scans. |
|
Security Center Settings Admin( Admin(super user) access to security center settings Lowest-level resources where you can grant this role:
|
|
Security Center Settings Editor( Read-Write access to security center settings Lowest-level resources where you can grant this role:
|
|
Security Center Settings Viewer( Read access to security center settings Lowest-level resources where you can grant this role:
|
|
Security Center Simulations Reader( Read access to security center simulations |
|
Security Center Sources Admin( Admin access to sources Lowest-level resources where you can grant this role:
|
|
Security Center Sources Editor( Read-write access to sources Lowest-level resources where you can grant this role:
|
|
Security Center Sources Viewer( Read access to sources Lowest-level resources where you can grant this role:
|
|
Security Center Valued Resources Reader( Read access to security center valued resources |
|
Security Command Center Management API 角色
下列 IAM 角色適用於 Security Command Center Management API。您可以在機構、資料夾或專案層級授予這些角色。
Role | Permissions |
---|---|
Security Center Management Admin( Full access to manage Cloud Security Command Center services and custom modules configuration. |
|
Security Center Management Custom Modules Editor( Full access to manage Cloud Security Command Center custom modules. |
|
Security Center Management Custom Modules Viewer( Readonly access to Cloud Security Command Center custom modules. |
|
Security Center Management Custom ETD Modules Editor( Full access to manage Cloud Security Command Center ETD custom modules. |
|
Security Center Management ETD Custom Modules Viewer( Readonly access to Cloud Security Command Center ETD custom modules. |
|
Security Center Management Services Editor( Full access to manage Cloud Security Command Center services configuration. |
|
Security Center Management Services Viewer( Readonly access to Cloud Security Command Center services configuration. |
|
Security Center Management Settings Editor( Full access to manage Cloud Security Command Center settings |
|
Security Center Management Settings Viewer( Readonly access to Cloud Security Command Center settings |
|
Security Center Management SHA Custom Modules Editor( Full access to manage Cloud Security Command Center SHA custom modules. |
|
Security Center Management SHA Custom Modules Viewer( Readonly access to Cloud Security Command Center SHA custom modules. |
|
Security Center Management Viewer( Readonly access to Cloud Security Command Center services and custom modules configuration. |
|
安全防護機制 API 角色
下列 IAM 角色適用於安全防護機制 API 和基礎架構即程式碼 (IaC) 驗證功能。除非另有說明,否則您可以在機構、資料夾或專案層級授予這些角色。
Role | Permissions |
---|---|
Security Posture Admin( Full access to Security Posture service APIs. Lowest-level resources where you can grant this role:
|
|
Security Posture Deployer( Mutate and read permissions to the Posture Deployment resource. |
|
Security Posture Deployments Viewer( Read only access to the Posture Deployment resource. |
|
Security Posture Resource Editor( Mutate and read permissions to the Posture resource. |
|
Security Posture Resource Viewer( Read only access to the Posture resource. |
|
Security Posture Shift-Left Validator( Create access for Reports, e.g. IaC Validation Report. |
|
Security Posture Viewer( Read only access to all the SecurityPosture Service resources. |
|
服務代理人角色
服務代理可讓服務存取您的資源。
啟用 Security Command Center 後,系統會為您建立兩個服務代理程式:
service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com
。這個服務代理程式需要
roles/securitycenter.serviceAgent
身分與存取權管理角色。service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
。這個服務代理程式需要
roles/containerthreatdetection.serviceAgent
身分與存取權管理角色。
在 Security Command Center 的啟用程序中,系統會提示您將一或多個必要的 IAM 角色授予每個服務代理程式。您必須將角色授予每個服務代理程式,Security Command Center 才能正常運作。
如要查看每個角色的權限,請參閱下列內容:
如要授予角色,您必須具備 roles/resourcemanager.organizationAdmin
角色。
如果您沒有 roles/resourcemanager.organizationAdmin
角色,貴機構的管理員可以透過下列 gcloud CLI 指令,為您授予服務代理角色:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="SERVICE_AGENT_NAME" \ --role="IAM_ROLE"
更改下列內容:
ORGANIZATION_ID
:您的機構 IDSERVICE_AGENT_NAME
:您要授予角色的服務代理程式名稱。名稱必須是下列其中一個服務代理名稱:service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com
service-org-ORGANIZATION_ID@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
IAM_ROLE
:與指定服務代理相應的下列必要角色:roles/securitycenter.serviceAgent
roles/containerthreatdetection.serviceAgent
如要進一步瞭解 IAM 角色,請參閱瞭解角色。
Web Security Scanner 角色
Web Security Scanner 提供下列 IAM 角色。您可以在專案層級授予這些角色。
Role | Permissions |
---|---|
Web Security Scanner Editor( Full access to all Web Security Scanner resources Lowest-level resources where you can grant this role:
|
|
Web Security Scanner Runner( Read access to Scan and ScanRun, plus the ability to start scans Lowest-level resources where you can grant this role:
|
|
Web Security Scanner Viewer( Read access to all Web Security Scanner resources Lowest-level resources where you can grant this role:
|
|
Cloud Web Security Scanner Service Agent( Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details. |
|