IAM pour les activations au niveau du projet

Cette page explique comment utiliser Identity and Access Management (IAM) pour contrôler l'accès aux ressources lors d'une activation de Security Command Center au niveau du projet. Consultez cette page uniquement si Security Command Center n'est pas activé pour votre organisation.

Consultez IAM pour les activations au niveau de l'organisation (et non cette page) si l'une des conditions suivantes s'applique:

  • Security Command Center est activé au niveau de l'organisation et non au niveau du projet.
  • Security Command Center Standard est déjà activé au niveau de l'organisation. De plus, vous avez activé Security Command Center Premium sur un ou plusieurs projets.

Security Command Center utilise les rôles IAM pour vous permettre de contrôler qui peut faire quoi avec les éléments, les résultats et les sources de sécurité au sein de votre environnement Security Command Center. Vous attribuez des rôles à des personnes physiques et à des applications, et chaque rôle donne des autorisations spécifiques.

Autorisations

Pour configurer Security Command Center ou modifier la configuration de votre projet, vous avez besoin des deux rôles suivants:

  • Administrateur de projet IAM (roles/resourcemanager.projectIamAdmin)
  • Administrateur du centre de sécurité (roles/securitycenter.admin)

Si un utilisateur ne nécessite pas de droits de modification, pensez à lui accorder des rôles de lecteur. Pour afficher tous les éléments et résultats dans Security Command Center, les utilisateurs doivent disposer du rôle Lecteur administrateur du centre de sécurité (roles/securitycenter.adminViewer). Les utilisateurs qui ont également besoin d'afficher les paramètres doivent disposer du rôle Lecteur de paramètres du centre de sécurité (roles/securitycenter.settingsViewer).

Bien que vous puissiez définir tous ces rôles à n'importe quel niveau de la hiérarchie des ressources, nous vous recommandons de les définir au niveau du projet. Cette pratique est conforme au principe du moindre privilège.

Pour obtenir des instructions sur la gestion des rôles et des autorisations, consultez la page Gérer l'accès aux projets, aux dossiers et aux organisations.

Accès hérité aux activations de Security Command Center au niveau du projet

Un projet hérite de toutes les liaisons de rôle définies au niveau des dossiers et de l'organisation qui le contiennent. Par exemple, si un compte principal dispose du rôle Éditeur des résultats de Security Command Center (roles/securitycenter.findingsEditor) au niveau de l'organisation, il dispose du même rôle au niveau du projet. Ce principal peut afficher et modifier les résultats de n'importe quel projet de cette organisation pour lequel Security Command Center est actif.

La figure suivante illustre une hiérarchie de ressources Security Command Center avec des rôles accordés au niveau de l'organisation.

Hiérarchie des ressources et structure des autorisations de Security Command Center
Hiérarchie de ressources Security Command Center et rôles au niveau de l'organisation (cliquez pour agrandir)

Pour afficher la liste des comptes principaux qui ont accès à votre projet, y compris ceux qui ont hérité d'autorisations, consultez Afficher l'accès actuel.

Rôles IAM dans Security Command Center

Vous trouverez ci-dessous la liste des rôles IAM disponibles pour Security Command Center, ainsi que les autorisations qu'ils comprennent. Security Command Center permet d'accorder ces rôles au niveau de l'organisation, du dossier ou du projet.

Role Permissions

(roles/securitycenter.admin)

Admin(super user) access to security center

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.*

  • assuredoss.config.get
  • assuredoss.customers.create
  • assuredoss.locations.get
  • assuredoss.locations.list
  • assuredoss.metadata.get
  • assuredoss.metadata.list
  • assuredoss.operations.cancel
  • assuredoss.operations.delete
  • assuredoss.operations.get
  • assuredoss.operations.list

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.assets.searchEnrichmentResourceOwners

cloudsecurityscanner.*

  • cloudsecurityscanner.crawledurls.list
  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.create
  • cloudsecurityscanner.scans.delete
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
  • cloudsecurityscanner.scans.update

compute.addresses.list

iam.serviceAccountKeys.create

iam.serviceAccounts.create

iam.serviceAccounts.get

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.create

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.get

pubsub.topics.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.*

  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.assets.runDiscovery
  • securitycenter.assetsecuritymarks.update
  • securitycenter.attackpaths.list
  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update
  • securitycenter.billingtier.update
  • securitycenter.complianceReports.aggregate
  • securitycenter.compliancesnapshots.list
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.containerthreatdetectionsettings.update
  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.update
  • securitycenter.exposurepathexplan.get
  • securitycenter.findingexplanations.get
  • securitycenter.findingexternalsystems.update
  • securitycenter.findings.bulkMuteUpdate
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.findings.setMute
  • securitycenter.findings.setState
  • securitycenter.findings.setWorkflowState
  • securitycenter.findings.update
  • securitycenter.findingsecuritymarks.update
  • securitycenter.integratedvulnerabilityscannersettings.calculate
  • securitycenter.integratedvulnerabilityscannersettings.get
  • securitycenter.integratedvulnerabilityscannersettings.update
  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update
  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update
  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update
  • securitycenter.rapidvulnerabilitydetectionsettings.calculate
  • securitycenter.rapidvulnerabilitydetectionsettings.get
  • securitycenter.rapidvulnerabilitydetectionsettings.update
  • securitycenter.resourcevalueconfigs.create
  • securitycenter.resourcevalueconfigs.delete
  • securitycenter.resourcevalueconfigs.get
  • securitycenter.resourcevalueconfigs.list
  • securitycenter.resourcevalueconfigs.update
  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update
  • securitycenter.securityhealthanalyticscustommodules.create
  • securitycenter.securityhealthanalyticscustommodules.delete
  • securitycenter.securityhealthanalyticscustommodules.get
  • securitycenter.securityhealthanalyticscustommodules.list
  • securitycenter.securityhealthanalyticscustommodules.simulate
  • securitycenter.securityhealthanalyticscustommodules.test
  • securitycenter.securityhealthanalyticscustommodules.update
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update
  • securitycenter.simulations.get
  • securitycenter.sources.get
  • securitycenter.sources.getIamPolicy
  • securitycenter.sources.list
  • securitycenter.sources.setIamPolicy
  • securitycenter.sources.update
  • securitycenter.subscription.get
  • securitycenter.userinterfacemetadata.get
  • securitycenter.valuedresources.list
  • securitycenter.virtualmachinethreatdetectionsettings.calculate
  • securitycenter.virtualmachinethreatdetectionsettings.get
  • securitycenter.virtualmachinethreatdetectionsettings.update
  • securitycenter.vulnerabilitysnapshots.list
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • securitycenter.websecurityscannersettings.update

securitycentermanagement.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

serviceusage.quotas.get

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

(roles/securitycenter.adminEditor)

Admin Read-write access to security center

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.config.get

assuredoss.locations.*

  • assuredoss.locations.get
  • assuredoss.locations.list

assuredoss.metadata.*

  • assuredoss.metadata.get
  • assuredoss.metadata.list

assuredoss.operations.get

assuredoss.operations.list

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.assets.searchEnrichmentResourceOwners

cloudsecurityscanner.*

  • cloudsecurityscanner.crawledurls.list
  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.create
  • cloudsecurityscanner.scans.delete
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
  • cloudsecurityscanner.scans.update

compute.addresses.list

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.get

pubsub.topics.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.assets.*

  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.assets.runDiscovery

securitycenter.assetsecuritymarks.update

securitycenter.attackpaths.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

securitycenter.complianceReports.aggregate

securitycenter.compliancesnapshots.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.exposurepathexplan.get

securitycenter.findingexplanations.get

securitycenter.findingexternalsystems.update

securitycenter.findings.*

  • securitycenter.findings.bulkMuteUpdate
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.findings.setMute
  • securitycenter.findings.setState
  • securitycenter.findings.setWorkflowState
  • securitycenter.findings.update

securitycenter.findingsecuritymarks.update

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.resourcevalueconfigs.*

  • securitycenter.resourcevalueconfigs.create
  • securitycenter.resourcevalueconfigs.delete
  • securitycenter.resourcevalueconfigs.get
  • securitycenter.resourcevalueconfigs.list
  • securitycenter.resourcevalueconfigs.update

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.simulate

securitycenter.securityhealthanalyticscustommodules.test

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.simulations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.sources.update

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.valuedresources.list

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.vulnerabilitysnapshots.list

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.checkActivationOperation

securitycentermanagement.securityCommandCenter.generateServiceAccounts

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityCommandCenter.update

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/securitycenter.adminViewer)

Admin Read access to security center

Lowest-level resources where you can grant this role:

  • Project

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.config.get

assuredoss.locations.*

  • assuredoss.locations.get
  • assuredoss.locations.list

assuredoss.metadata.*

  • assuredoss.metadata.get
  • assuredoss.metadata.list

assuredoss.operations.get

assuredoss.operations.list

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.assets.searchEnrichmentResourceOwners

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.*

  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.getSummary

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.get

pubsub.topics.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.assets.group

securitycenter.assets.list

securitycenter.assets.listAssetPropertyNames

securitycenter.attackpaths.list

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

securitycenter.complianceReports.aggregate

securitycenter.compliancesnapshots.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.exposurepathexplan.get

securitycenter.findingexplanations.get

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.resourcevalueconfigs.get

securitycenter.resourcevalueconfigs.list

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.simulate

securitycenter.securityhealthanalyticscustommodules.test

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.simulations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.valuedresources.list

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.vulnerabilitysnapshots.list

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.checkActivationOperation

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/securitycenter.assetSecurityMarksWriter)

Write access to asset security marks

Lowest-level resources where you can grant this role:

  • Project

securitycenter.assetsecuritymarks.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.assetsDiscoveryRunner)

Run asset discovery access to assets

Lowest-level resources where you can grant this role:

  • Organization

securitycenter.assets.runDiscovery

securitycenter.userinterfacemetadata.get

(roles/securitycenter.assetsViewer)

Read access to assets

Lowest-level resources where you can grant this role:

  • Project

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.assets.searchEnrichmentResourceOwners

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

securitycenter.assets.group

securitycenter.assets.list

securitycenter.assets.listAssetPropertyNames

securitycenter.userinterfacemetadata.get

(roles/securitycenter.attackPathsViewer)

Read access to security center attack paths

securitycenter.attackpaths.list

(roles/securitycenter.bigQueryExportsEditor)

Read-Write access to security center BigQuery Exports

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

(roles/securitycenter.bigQueryExportsViewer)

Read access to security center BigQuery Exports

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

(roles/securitycenter.complianceReportsViewer)

Read access to security center compliance reports

securitycenter.complianceReports.aggregate

(roles/securitycenter.complianceSnapshotsViewer)

Read access to security center compliance snapshots

securitycenter.complianceReports.aggregate

securitycenter.compliancesnapshots.list

(roles/securitycenter.externalSystemsEditor)

Write access to security center external systems

securitycenter.findingexternalsystems.update

(roles/securitycenter.findingSecurityMarksWriter)

Write access to finding security marks

Lowest-level resources where you can grant this role:

  • Project

securitycenter.findingsecuritymarks.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.findingsBulkMuteEditor)

Ability to mute findings in bulk

securitycenter.findings.bulkMuteUpdate

(roles/securitycenter.findingsEditor)

Read-write access to findings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

securitycenter.complianceReports.aggregate

securitycenter.compliancesnapshots.list

securitycenter.findingexplanations.get

securitycenter.findings.bulkMuteUpdate

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.findings.setMute

securitycenter.findings.setState

securitycenter.findings.update

securitycenter.sources.get

securitycenter.sources.list

securitycenter.userinterfacemetadata.get

securitycenter.vulnerabilitysnapshots.list

(roles/securitycenter.findingsMuteSetter)

Set mute access to findings

securitycenter.findings.setMute

(roles/securitycenter.findingsStateSetter)

Set state access to findings

Lowest-level resources where you can grant this role:

  • Project

securitycenter.findings.setState

securitycenter.userinterfacemetadata.get

(roles/securitycenter.findingsViewer)

Read access to findings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

securitycenter.complianceReports.aggregate

securitycenter.compliancesnapshots.list

securitycenter.findingexplanations.get

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.sources.get

securitycenter.sources.list

securitycenter.userinterfacemetadata.get

securitycenter.vulnerabilitysnapshots.list

(roles/securitycenter.findingsWorkflowStateSetter)

Set workflow state access to findings

Lowest-level resources where you can grant this role:

  • Project

securitycenter.findings.setWorkflowState

securitycenter.userinterfacemetadata.get

(roles/securitycenter.muteConfigsEditor)

Read-Write access to security center mute configurations

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

(roles/securitycenter.muteConfigsViewer)

Read access to security center mute configurations

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

(roles/securitycenter.notificationConfigEditor)

Write access to notification configurations

Lowest-level resources where you can grant this role:

  • Organization

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.notificationConfigViewer)

Read access to notification configurations

Lowest-level resources where you can grant this role:

  • Organization

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.userinterfacemetadata.get

(roles/securitycenter.resourceValueConfigsEditor)

Read-Write access to security center resource value configurations

resourcemanager.tagValues.get

securitycenter.resourcevalueconfigs.*

  • securitycenter.resourcevalueconfigs.create
  • securitycenter.resourcevalueconfigs.delete
  • securitycenter.resourcevalueconfigs.get
  • securitycenter.resourcevalueconfigs.list
  • securitycenter.resourcevalueconfigs.update

(roles/securitycenter.resourceValueConfigsViewer)

Read access to security center resource value configurations

resourcemanager.tagValues.get

securitycenter.resourcevalueconfigs.get

securitycenter.resourcevalueconfigs.list

(roles/securitycenter.securityHealthAnalyticsCustomModulesTester)

Test access to Security Health Analytics Custom Modules

securitycenter.securityhealthanalyticscustommodules.simulate

securitycenter.securityhealthanalyticscustommodules.test

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycenter.settingsAdmin)

Admin(super user) access to security center settings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

securitycenter.billingtier.update

securitycenter.containerthreatdetectionsettings.*

  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.containerthreatdetectionsettings.update

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.*

  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.update

securitycenter.integratedvulnerabilityscannersettings.*

  • securitycenter.integratedvulnerabilityscannersettings.calculate
  • securitycenter.integratedvulnerabilityscannersettings.get
  • securitycenter.integratedvulnerabilityscannersettings.update

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.organizationsettings.*

  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update

securitycenter.rapidvulnerabilitydetectionsettings.*

  • securitycenter.rapidvulnerabilitydetectionsettings.calculate
  • securitycenter.rapidvulnerabilitydetectionsettings.get
  • securitycenter.rapidvulnerabilitydetectionsettings.update

securitycenter.securitycentersettings.*

  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update

securitycenter.securityhealthanalyticscustommodules.create

securitycenter.securityhealthanalyticscustommodules.delete

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.update

securitycenter.securityhealthanalyticssettings.*

  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.*

  • securitycenter.virtualmachinethreatdetectionsettings.calculate
  • securitycenter.virtualmachinethreatdetectionsettings.get
  • securitycenter.virtualmachinethreatdetectionsettings.update

securitycenter.websecurityscannersettings.*

  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • securitycenter.websecurityscannersettings.update

securitycentermanagement.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycenter.settingsEditor)

Read-Write access to security center settings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.*

  • securitycenter.bigQueryExports.create
  • securitycenter.bigQueryExports.delete
  • securitycenter.bigQueryExports.get
  • securitycenter.bigQueryExports.list
  • securitycenter.bigQueryExports.update

securitycenter.billingtier.update

securitycenter.containerthreatdetectionsettings.*

  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.containerthreatdetectionsettings.update

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.*

  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.update

securitycenter.integratedvulnerabilityscannersettings.*

  • securitycenter.integratedvulnerabilityscannersettings.calculate
  • securitycenter.integratedvulnerabilityscannersettings.get
  • securitycenter.integratedvulnerabilityscannersettings.update

securitycenter.muteconfigs.*

  • securitycenter.muteconfigs.create
  • securitycenter.muteconfigs.delete
  • securitycenter.muteconfigs.get
  • securitycenter.muteconfigs.list
  • securitycenter.muteconfigs.update

securitycenter.notificationconfig.*

  • securitycenter.notificationconfig.create
  • securitycenter.notificationconfig.delete
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.notificationconfig.update

securitycenter.organizationsettings.*

  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update

securitycenter.rapidvulnerabilitydetectionsettings.*

  • securitycenter.rapidvulnerabilitydetectionsettings.calculate
  • securitycenter.rapidvulnerabilitydetectionsettings.get
  • securitycenter.rapidvulnerabilitydetectionsettings.update

securitycenter.securitycentersettings.*

  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update

securitycenter.securityhealthanalyticscustommodules.create

securitycenter.securityhealthanalyticscustommodules.delete

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.update

securitycenter.securityhealthanalyticssettings.*

  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.securityhealthanalyticssettings.update

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.*

  • securitycenter.virtualmachinethreatdetectionsettings.calculate
  • securitycenter.virtualmachinethreatdetectionsettings.get
  • securitycenter.virtualmachinethreatdetectionsettings.update

securitycenter.websecurityscannersettings.*

  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • securitycenter.websecurityscannersettings.update

securitycentermanagement.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycenter.settingsViewer)

Read access to security center settings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

  • securitycenter.effectivesecurityhealthanalyticscustommodules.get
  • securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.checkActivationOperation

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycenter.simulationsViewer)

Read access to security center simulations

securitycenter.simulations.get

(roles/securitycenter.sourcesAdmin)

Admin access to sources

Lowest-level resources where you can grant this role:

  • Organization

resourcemanager.organizations.get

securitycenter.sources.*

  • securitycenter.sources.get
  • securitycenter.sources.getIamPolicy
  • securitycenter.sources.list
  • securitycenter.sources.setIamPolicy
  • securitycenter.sources.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.sourcesEditor)

Read-write access to sources

Lowest-level resources where you can grant this role:

  • Organization

resourcemanager.organizations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.sources.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.sourcesViewer)

Read access to sources

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.organizations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.userinterfacemetadata.get

(roles/securitycenter.valuedResourcesViewer)

Read access to security center valued resources

securitycenter.valuedresources.list

(roles/securitycentermanagement.admin)

Full access to manage Cloud Security Command Center services and custom modules configuration.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.organizationsettings.*

  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update

securitycenter.securitycentersettings.*

  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update

securitycentermanagement.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycentermanagement.customModulesEditor)

Full access to manage Cloud Security Command Center custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.*

  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.*

  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycentermanagement.customModulesViewer)

Readonly access to Cloud Security Command Center custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycentermanagement.etdCustomModulesEditor)

Full access to manage Cloud Security Command Center ETD custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.*

  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

(roles/securitycentermanagement.etdCustomModulesViewer)

Readonly access to Cloud Security Command Center ETD custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

(roles/securitycentermanagement.securityCenterServicesEditor)

Full access to manage Cloud Security Command Center services configuration.

securitycentermanagement.securityCenterServices.*

  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update

(roles/securitycentermanagement.securityCenterServicesViewer)

Readonly access to Cloud Security Command Center services configuration.

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

(roles/securitycentermanagement.settingsEditor)

Full access to manage Cloud Security Command Center settings

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.organizationsettings.*

  • securitycenter.organizationsettings.get
  • securitycenter.organizationsettings.update

securitycenter.securitycentersettings.*

  • securitycenter.securitycentersettings.get
  • securitycenter.securitycentersettings.update

securitycentermanagement.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.create
  • securitycentermanagement.eventThreatDetectionCustomModules.delete
  • securitycentermanagement.eventThreatDetectionCustomModules.get
  • securitycentermanagement.eventThreatDetectionCustomModules.list
  • securitycentermanagement.eventThreatDetectionCustomModules.update
  • securitycentermanagement.eventThreatDetectionCustomModules.validate
  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list
  • securitycentermanagement.securityCenterServices.get
  • securitycentermanagement.securityCenterServices.list
  • securitycentermanagement.securityCenterServices.update
  • securitycentermanagement.securityCommandCenter.activate
  • securitycentermanagement.securityCommandCenter.checkActivationOperation
  • securitycentermanagement.securityCommandCenter.checkEligibility
  • securitycentermanagement.securityCommandCenter.generateServiceAccounts
  • securitycentermanagement.securityCommandCenter.get
  • securitycentermanagement.securityCommandCenter.update
  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycentermanagement.settingsViewer)

Readonly access to Cloud Security Command Center settings

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.organizationsettings.get

securitycenter.securitycentersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.checkActivationOperation

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycentermanagement.shaCustomModulesEditor)

Full access to manage Cloud Security Command Center SHA custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.*

  • securitycentermanagement.securityHealthAnalyticsCustomModules.create
  • securitycentermanagement.securityHealthAnalyticsCustomModules.delete
  • securitycentermanagement.securityHealthAnalyticsCustomModules.get
  • securitycentermanagement.securityHealthAnalyticsCustomModules.list
  • securitycentermanagement.securityHealthAnalyticsCustomModules.simulate
  • securitycentermanagement.securityHealthAnalyticsCustomModules.test
  • securitycentermanagement.securityHealthAnalyticsCustomModules.update

(roles/securitycentermanagement.shaCustomModulesViewer)

Readonly access to Cloud Security Command Center SHA custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycentermanagement.viewer)

Readonly access to Cloud Security Command Center services and custom modules configuration.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.organizationsettings.get

securitycenter.securitycentersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.get
  • securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.get
  • securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

  • securitycentermanagement.locations.get
  • securitycentermanagement.locations.list

securitycentermanagement.securityCenterServices.get

securitycentermanagement.securityCenterServices.list

securitycentermanagement.securityCommandCenter.checkActivationOperation

securitycentermanagement.securityCommandCenter.get

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

Rôles d'agent de service

Un agent de service permet à un service d'accéder à vos ressources.

Après avoir activé Security Command Center, deux agents de service, qui sont un type de compte de service, sont créés pour vous:

  • service-project-PROJECT_NUMBER@security-center-api.iam.gserviceaccount.com.

    Cet agent de service nécessite le rôle IAM securitycenter.serviceAgent.

  • service-project-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com.

    Cet agent de service nécessite le rôle IAM roles/containerthreatdetection.serviceAgent.

Pour que Security Command Center fonctionne, les agents de service doivent disposer des rôles IAM requis. Vous êtes invité à attribuer les rôles lors du processus d'activation de Security Command Center.

Pour afficher les autorisations de chaque rôle, consultez les documents suivants:

Pour attribuer les rôles, vous devez disposer du rôle roles/resourcemanager.projectIamAdmin.

Si vous ne disposez pas du rôle roles/resourcemanager.organizationAdmin, l'administrateur de votre organisation peut attribuer les rôles aux agents de service à votre place à l'aide de la commande gcloud CLI suivante:

gcloud organizations add-iam-policy-binding PROJECT_ID \
    --member="SERVICE_ACCOUNT_NAME" \
    --role="IAM_ROLE"

Remplacez les éléments suivants :

  • PROJECT_ID: ID de votre projet
  • SERVICE_AGENT_NAME: l'un des noms d'agent de service suivants :
    • service-project-PROJECT_NUMBER@security-center-api.iam.gserviceaccount.com
    • service-project-PROJECT_NUMBER@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
  • IAM_ROLE: rôle obligatoire suivant qui correspond à l'agent de service spécifié :
    • roles/securitycenter.serviceAgent
    • roles/containerthreatdetection.serviceAgent

Pour trouver votre ID et votre numéro de projet, consultez la section Identifier des projets.

Pour en savoir plus sur les rôles IAM, consultez la page Comprendre les rôles.

Web Security Scanner

Les rôles IAM vous expliquent comment utiliser Web Security Scanner. Les tableaux ci-dessous présentent chaque rôle IAM disponible pour Web Security Scanner, ainsi que les méthodes associées. Accordez ces rôles au niveau du projet. Pour donner aux utilisateurs la possibilité de créer et de gérer des analyses de sécurité, ajoutez des utilisateurs à votre projet et accordez-leur des autorisations à l'aide de rôles IAM.

Web Security Scanner accepte les rôles de base et les rôles prédéfinis qui offrent un accès plus précis aux ressources de Web Security Scanner.

Rôles IAM de base

La section suivante décrit les autorisations Web Scanner accordées par les rôles de base.

Rôle Description
Propriétaire Accès complet à toutes les ressources Web Security Scanner
Éditeur Accès complet à toutes les ressources Web Security Scanner
Lecteur Aucun accès à Web Security Scanner

Rôles IAM prédéfinis

La section suivante décrit les autorisations de Web Security Scanner accordées par les rôles Web Security Scanner.

Role Permissions

(roles/cloudsecurityscanner.editor)

Full access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

cloudsecurityscanner.*

  • cloudsecurityscanner.crawledurls.list
  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.create
  • cloudsecurityscanner.scans.delete
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
  • cloudsecurityscanner.scans.update

compute.addresses.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/cloudsecurityscanner.runner)

Read access to Scan and ScanRun, plus the ability to start scans

Lowest-level resources where you can grant this role:

  • Project

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scanruns.stop

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

cloudsecurityscanner.scans.run

(roles/cloudsecurityscanner.viewer)

Read access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

  • Project

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.*

  • cloudsecurityscanner.results.get
  • cloudsecurityscanner.results.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.getSummary

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Pour en savoir plus sur les rôles IAM, consultez la page Comprendre les rôles.