The Security Command Center Enterprise tier provides both the Google Cloud console and Security Operations console to investigate and remediate vulnerabilities, misconfigurations, and threats. Security Command Center Enterprise users need IAM permissions to access Security Command Center features in both Google Cloud console and Security Operations console.
Google Security Operations has a set of predefined IAM roles that let you access SIEM-related features and SOAR-related features in the Security Operations console. You can grant the Google Security Operations roles at the project level.
Security Command Center has a set of predefined IAM roles that let you access features in the Security Operations console that are unique to the Security Command Center Enterprise tier. These include the following:
- Security Center Admin Editor Viewer (
roles/securitycenter.adminEditor) - Security Center Admin Viewer (
roles/securitycenter.adminViewer)
To view Security Command Center-specific features in the Security Operations console,
including the risk dashboards and findings, users need at least the
roles/securitycenter.adminViewer role. Grant the Security Command Center roles at
the organization level.
As you plan the deployment, review the following to identify which users need access to features:
To grant user access to features and findings in the Google Cloud console, see Access control with IAM.
To grant user access to SIEM-related threat detection and investigation features in the Security Operations console, see Configure feature access control using IAM.
To grant users access to SOAR-related response features in the Security Operations console, see Map IAM roles in the SOAR side of the Security Operations console. You also map the SOAR-related IAM roles to SOC roles, permission groups, and environments under SOAR settings in the Security Operations console.
To create custom IAM roles using Google SecOps IAM permissions, see Create and assign a custom role to a group.
To access features in Security Operations console that are provided only with Security Command Center Enterprise, such as the Posture Overview page, grant users the required IAM roles in the organization where Security Command Center Enterprise is activated.
The steps to grant access to features is different depending on the identity provider configuration.
If you use Google Workspace or Cloud Identity as the identity provider, you grant roles directly to a user or group. See Configure a Google Cloud identity provider for an example of how to do this.
If you use Workforce Identity Federation to connect to a third-party identity provider (such as Okta or Azure AD), you grant roles to identities in a workforce identity pool or to a group within the workforce identity pool.
See Configure feature access control using IAM for examples of how to grant SIEM-related features and SOAR-related features to a workforce identity pool.
Make sure the workforce pools include permissions to access Security Command Center-specific features in Security Operations console. The following are examples:
To grant the Security Center Admin Viewer role to all users in a workforce identity pool, run the following command:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --role roles/securitycenter.adminViewer \ --member "principalSet://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/*" \ --condition NoneReplace the following:
ORGANIZATION_ID: the numeric organization ID.WORKFORCE_POOL_ID: the value you defined for the workforce identity pool ID.
To grant the Security Center Admin Viewer roles to a specific group, run the following commands:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --role roles/securitycenter.adminViewer \ --member "principalSet://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/group/GROUP_ID" \ --condition NoneReplace
GROUP_ID: a group in the mappedgoogle.groupsclaim.