This page describes how to use Identity and Access Management (IAM) to control access to resources in a project-level activation of Security Command Center. Refer to this page only if Security Command Center isn't activated for your organization.
See IAM for organization-level activations—instead of this page—if either of the following conditions apply:
- Security Command Center is activated at the organization level and not at the project level.
- Security Command Center Standard is already activated at the organization level. Additionally, you have Security Command Center Premium activated on one or more projects.
Security Command Center uses IAM roles to let you control who can do what with assets, findings, and security sources in your Security Command Center environment. You grant roles to individuals and applications, and each role provides specific permissions.
Permissions
To set up Security Command Center or change the configuration of your project, you need both of the following roles:
- Project IAM Admin (
roles/resourcemanager.projectIamAdmin
) - Security Center Admin (
roles/securitycenter.admin
)
If a user doesn't require edit permissions, consider granting them viewer roles.
To view all assets and findings in Security Command Center, users need the Security
Center Admin Viewer (roles/securitycenter.adminViewer
) role. Users who also
need to view settings need the Security Center Settings Viewer
(roles/securitycenter.settingsViewer
) role.
Although you can set all these roles at any level of the resource hierarchy, we recommend setting these roles at the project level. This practice is in accordance with the principle of least privilege.
For instructions on managing roles and permissions, see Manage access to projects, folders, and organizations.
Inherited access to project-level activations of Security Command Center
A project inherits any role bindings that are set at the level of the folders
and organization that contain that project. For example, if a principal has the
Security Center Findings Editor role (roles/securitycenter.findingsEditor
) at
the organization level, that principal has the same role at the project level.
That principal can view and edit findings in any of that organization's projects
where Security Command Center is active.
The following figure illustrates a Security Command Center resource hierarchy with roles granted at the organization level.

To view a list of principals that have access to your project, including those who have inherited permissions, see View current access.
Security Command Center roles
The following IAM roles are available for Security Command Center. You can grant these roles at the organization, folder, or project level.
Role | Permissions |
---|---|
Security Center Admin( Admin(super user) access to security center Lowest-level resources where you can grant this role:
|
|
Security Center Admin Editor( Admin Read-write access to security center Lowest-level resources where you can grant this role:
|
|
Security Center Admin Viewer( Admin Read access to security center Lowest-level resources where you can grant this role:
|
|
Security Center Asset Security Marks Writer( Write access to asset security marks Lowest-level resources where you can grant this role:
|
|
Security Center Assets Discovery Runner( Run asset discovery access to assets Lowest-level resources where you can grant this role:
|
|
Security Center Assets Viewer( Read access to assets Lowest-level resources where you can grant this role:
|
|
Security Center Attack Paths Reader( Read access to security center attack paths |
|
Attack Surface Management Scanner Service Agent( Gives Mandiant Attack Surface Management the ability to scan Cloud Platform resources. |
|
Security Center Automation Service Agent( Security Center automation service agent can configure GCP resources to enable security scanning. |
|
Security Center BigQuery Exports Editor( Read-Write access to security center BigQuery Exports |
|
Security Center BigQuery Exports Viewer( Read access to security center BigQuery Exports |
|
Security Center Compliance Reports Viewer Beta( Read access to security center compliance reports |
|
Security Center Compliance Snapshots Viewer Beta( Read access to security center compliance snapshots |
|
Security Center Control Service Agent( Security Center Control service agent can monitor and configure GCP resources and import security findings. |
|
Security Center External Systems Editor( Write access to security center external systems |
|
Security Center Finding Security Marks Writer( Write access to finding security marks Lowest-level resources where you can grant this role:
|
|
Security Center Findings Bulk Mute Editor( Ability to mute findings in bulk |
|
Security Center Findings Editor( Read-write access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Findings Mute Setter( Set mute access to findings |
|
Security Center Findings State Setter( Set state access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Findings Viewer( Read access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Findings Workflow State Setter Beta( Set workflow state access to findings Lowest-level resources where you can grant this role:
|
|
Security Center Integration Executor Service Agent( Gives Security Center access to execute Integrations. |
|
Security Center Issues Editor( Write access to security center issues |
|
Security Center Issues Viewer( Read access to security center issues |
|
Security Center Mute Configurations Editor( Read-Write access to security center mute configurations |
|
Security Center Mute Configurations Viewer( Read access to security center mute configurations |
|
Security Center Notification Configurations Editor( Write access to notification configurations Lowest-level resources where you can grant this role:
|
|
Security Center Notification Configurations Viewer( Read access to notification configurations Lowest-level resources where you can grant this role:
|
|
Security Center Notification Service Agent( Security Center service agent can publish notifications to Pub/Sub topics. |
|
Security Center Resource Value Configurations Editor( Read-Write access to security center resource value configurations |
|
Security Center Resource Value Configurations Viewer( Read access to security center resource value configurations |
|
Security Health Analytics Custom Modules Tester( Test access to Security Health Analytics Custom Modules |
|
Security Health Analytics Service Agent( Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities. |
|
Google Cloud Security Response Service Agent( Gives Playbook Runner permissions to execute all Google authored Playbooks. This role will keep evolving as we add more playbooks |
|
Security Center Service Agent( Security Center service agent can scan GCP resources and import security scans. |
|
Security Center Settings Admin( Admin(super user) access to security center settings Lowest-level resources where you can grant this role:
|
|
Security Center Settings Editor( Read-Write access to security center settings Lowest-level resources where you can grant this role:
|
|
Security Center Settings Viewer( Read access to security center settings Lowest-level resources where you can grant this role:
|
|
Security Center Simulations Reader( Read access to security center simulations |
|
Security Center Sources Admin( Admin access to sources Lowest-level resources where you can grant this role:
|
|
Security Center Sources Editor( Read-write access to sources Lowest-level resources where you can grant this role:
|
|
Security Center Sources Viewer( Read access to sources Lowest-level resources where you can grant this role:
|
|
Security Center Valued Resources Reader( Read access to security center valued resources |
|
Security Command Center Management API roles
The following IAM roles are available for the Security Command Center Management API. You can grant these roles at the organization, folder, or project level.
Role | Permissions |
---|---|
Security Center Management Admin( Full access to manage Cloud Security Command Center services and custom modules configuration. |
|
Security Center Management Custom Modules Editor( Full access to manage Cloud Security Command Center custom modules. |
|
Security Center Management Custom Modules Viewer( Readonly access to Cloud Security Command Center custom modules. |
|
Security Center Management Custom ETD Modules Editor( Full access to manage Cloud Security Command Center ETD custom modules. |
|
Security Center Management ETD Custom Modules Viewer( Readonly access to Cloud Security Command Center ETD custom modules. |
|
Security Center Management Services Editor( Full access to manage Cloud Security Command Center services configuration. |
|
Security Center Management Services Viewer( Readonly access to Cloud Security Command Center services configuration. |
|
Security Center Management Settings Editor( Full access to manage Cloud Security Command Center settings |
|
Security Center Management Settings Viewer( Readonly access to Cloud Security Command Center settings |
|
Security Center Management SHA Custom Modules Editor( Full access to manage Cloud Security Command Center SHA custom modules. |
|
Security Center Management SHA Custom Modules Viewer( Readonly access to Cloud Security Command Center SHA custom modules. |
|
Security Center Management Viewer( Readonly access to Cloud Security Command Center services and custom modules configuration. |
|
Service agent roles
A service agent allows a service to access your resources.
After you activate Security Command Center, two service agents, which are a type of service account, are created for you:
service-project-PROJECT_NUMBER@security-center-api.iam.gserviceaccount.com
.This service agent requires the
securitycenter.serviceAgent
IAM role.service-project-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
.This service agent requires the
roles/containerthreatdetection.serviceAgent
IAM role.
For Security Command Center to function, the service agents must be granted the required IAM roles. You are prompted to grant the roles during the activation process of Security Command Center.
To view the permissions for each role, see the following:
To grant the roles, you must have the roles/resourcemanager.projectIamAdmin
role.
If you don't have roles/resourcemanager.organizationAdmin
role,
your organization administrator
can grant the roles to the service agents for you
with the following gcloud CLI command:
gcloud organizations add-iam-policy-binding PROJECT_ID \ --member="SERVICE_ACCOUNT_NAME" \ --role="IAM_ROLE"
Replace the following:
PROJECT_ID
: your the project IDSERVICE_AGENT_NAME
: either of the following service agent names:service-project-PROJECT_NUMBER@security-center-api.iam.gserviceaccount.com
service-project-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
IAM_ROLE
: the following required role that corresponds to the specified service agent:roles/securitycenter.serviceAgent
roles/containerthreatdetection.serviceAgent
To find your project ID and project number, see Identify projects.
For more information about IAM roles, see understanding roles.
Web Security Scanner roles
The following IAM roles are available for Web Security Scanner. You can grant these roles at the project level.
Role | Permissions |
---|---|
Web Security Scanner Editor( Full access to all Web Security Scanner resources Lowest-level resources where you can grant this role:
|
|
Web Security Scanner Runner( Read access to Scan and ScanRun, plus the ability to start scans Lowest-level resources where you can grant this role:
|
|
Web Security Scanner Viewer( Read access to all Web Security Scanner resources Lowest-level resources where you can grant this role:
|
|
Cloud Web Security Scanner Service Agent( Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details. |
|