Map and authenticate users to enable SOAR-related features
Stay organized with collections
Save and categorize content based on your preferences.
This article shows you how to authorize and map users using Identity and Access Management (IAM)
with secure identification in the SOAR-related features on Security Operations console pages.
Before you begin
Make sure you have defined and mapped users using IAM to the SIEM-related features on Security Operations console pages.
For more information, see
Control feature access using IAM.
Grant IAM roles in the Google Cloud console
Three predefined IAM roles have been added to your Security Command Center
Enterprise project in the Google Cloud console.
The following procedure explains how to grant the IAM roles
to users in the Google Cloud console.
Open the console and select your Security Command Center.
Click IAM & Admin.
Select IAM from the navigation tree and then select Grant Access.
In the Grant Access dialog box go to the Add Principals field,
and enter the email addresses of users or user groups for one of the three
IAM roles.
In the Select a role field, search for the required role:
Chronicle SOAR Admin,
Chronicle SOAR Threat Manager, or
Chronicle SOAR Vulnerability Manager.
Repeat this process for all three roles or as needed.
Click Save.
Control user access
In the Google Cloud console navigation, go to the Settings > SOAR settings.
In the Security Operations console SOAR settings page, there are
several different ways to determine which users have access to which aspects
of the platform.
Permissions groups: Set permissions groups for user types which determine which
modules and submodules will be visible or editable for users. For example,
you can set permissions such that the user sees the cases and the workdesk
but doesn't have access to the playbooks and settings. For more information, see
Working with Permission Groups in the Google SecOps documentation.
SOC roles: Define the role of a group of users. You can set cases or actions
or playbooks to a SOC role instead of a specific user. Users see cases that
are assigned to them personally, or to their role, or to one of the additional roles.
For more information, see Working with Roles in the Google SecOps documentation.
Environments: Set environments that enterprises can use to manage
different networks or business units within the same organization.
Users only see data for those environments they have access to. For more
information, see
Adding an environment in the Google SecOps documentation.
Map the IAM roles using the SOAR settings
Security Operations console page
In the Google Cloud console, go to Settings > SOAR settings
> Advanced > IAM Role mapping.
Using the display name (e.g. Chronicle SOAR Admin), assign
each IAM role to the corresponding SOC roles (Threat Manager,
Vulnerability Manager or Admin), permission groups (select Admins permission group),
and environments (select the default environment).
Alternatively, add an email address instead of an IAM role.
Click Save.
When each user logs in to the platform, they are
automatically added to the User Management page (which is located in
SOAR settings > Organization ).
Sometimes users will try to access Security Operations console features, but their IAM role has not
been mapped in the platform. In order for these users not to be rejected,
we recommend enabling and setting the Default Access Settings on this page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Map and authenticate users to enable SOAR-related features\n\nEnterprise [service tier](/security-command-center/docs/service-tiers) \nThis article shows you how to authorize and map users using Identity and Access Management (IAM)\nwith secure identification in the SOAR-related features on Security Operations console pages.\n\nBefore you begin\n----------------\n\nMake sure you have defined and mapped users using IAM to the SIEM-related features on Security Operations console pages. For more information, see [Control feature access using IAM](/chronicle/docs/onboard/configure-feature-access).\n\nGrant IAM roles in the Google Cloud console\n-------------------------------------------\n\nThree predefined IAM roles have been added to your Security Command Center\nEnterprise project in the Google Cloud console.\n\n- Chronicle SOAR Admin (`roles/chronicle.soarAdmin`)\n- Chronicle SOAR Threat Manager (`roles/chronicle.soarThreatManager`)\n- Chronicle SOAR Vulnerability Manager (`roles/chronicle.soarVulnerabilityManager`)\n\nThe following procedure explains how to grant the IAM roles\nto users in the Google Cloud console.\n\n1. Open the console and select your Security Command Center.\n2. Click **IAM \\& Admin**.\n3. Select **IAM** from the navigation tree and then select **Grant Access**.\n4. In the **Grant Access dialog box** go to the **Add Principals** field, and enter the email addresses of users or user groups for one of the three IAM roles.\n5. In the **Select a role** field, search for the required role: **Chronicle SOAR Admin** , **Chronicle SOAR Threat Manager** , or **Chronicle SOAR Vulnerability Manager**.\n6. Repeat this process for all three roles or as needed.\n7. Click **Save**.\n\nControl user access\n-------------------\n\n\nIn the Google Cloud console navigation, go to the **Settings \\\u003e SOAR settings** .\nIn the Security Operations console **SOAR settings** page, there are\nseveral different ways to determine which users have access to which aspects\nof the platform.\n\n- **Permissions groups** : Set permissions groups for user types which determine which modules and submodules will be visible or editable for users. For example, you can set permissions such that the user sees the cases and the workdesk but doesn't have access to the playbooks and settings. For more information, see [Working with Permission Groups](/chronicle/docs/soar/admin-tasks/permissions/working-with-permission-groups) in the Google SecOps documentation.\n- **SOC roles** : Define the role of a group of users. You can set cases or actions or playbooks to a SOC role instead of a specific user. Users see cases that are assigned to them personally, or to their role, or to one of the additional roles. For more information, see [Working with Roles](/chronicle/docs/soar/admin-tasks/permissions/\n working-with-roles) in the Google SecOps documentation.\n- **Environments** : Set environments that enterprises can use to manage different networks or business units within the same organization. Users only see data for those environments they have access to. For more information, see [Adding an environment](/chronicle/docs/soar/admin-tasks/environments/add-a-new-environment) in the Google SecOps documentation.\n\nMap the IAM roles using the SOAR settings\nSecurity Operations console page\n--------------------------------------------------------------------------\n\n1. In the Google Cloud console, go to **Settings \\\u003e SOAR settings\n \\\u003e Advanced \\\u003e IAM Role mapping**.\n2. Using the display name (e.g. Chronicle SOAR Admin), assign each IAM role to the corresponding SOC roles (Threat Manager, Vulnerability Manager or Admin), permission groups (select Admins permission group), and environments (select the default environment). Alternatively, add an email address instead of an IAM role.\n3. Click **Save**.\n\nWhen each user logs in to the platform, they are automatically added to the **User Management page** (which is located in **SOAR settings \\\u003e Organization** ).\n\nSometimes users will try to access Security Operations console features, but their IAM role has not\nbeen mapped in the platform. In order for these users not to be rejected,\nwe recommend enabling and setting the **Default Access Settings** on this page."]]
