The Security Command Center Enterprise tier includes certain features availablefrom Google Security Operations. You investigate and remediate vulnerabilities,misconfigurations, and threats using bothGoogle Cloud console and Security Operations consolepages.

Security Command Center Enterprise users need IAM permissions to accessSecurity Command Center features in both the Google Cloud console and Security Operations consolepages.

Google Security Operations has a set of predefined IAM roles that letyou accessSIEM-related featuresandSOAR-related featuresin Security Operations console pages. You can grant the Google Security Operations rolesat the project level.

Security Command Center has a set of predefined IAM roles that let youaccess features in Security Operations console pages that are unique to theSecurity Command Center Enterprise tier. These include the following:

• Security Center Admin Editor Viewer (roles/securitycenter.adminEditor)
• Security Center Admin Viewer (roles/securitycenter.adminViewer)

To view Security Command Center features available in Security Operations console pages,users need at least theSecurity Center Admin Viewer (roles/securitycenter.adminViewer)role. Grant the Security Command Center roles at the organization level.

As you plan the deployment, review the following to identify which users needaccess to features:

• To grant user access to features and findings in the Google Cloud console,seeAccess control with IAM.

• To grant user access to SIEM-related threat detection and investigationfeatures in Security Operations console pages, seeConfigure feature access control using IAM.

• To grant users access to SOAR-related response features in Security Operations console pages,seeMap IAM roles in the SOAR side of the Security Operations console.You also map the SOAR-related IAM roles to SOC roles,permission groups, and environments underSOAR settings.

• To create custom IAM roles using Google SecOpsIAM permissions, seeCreate and assign a custom role to a group.

• To access features available with Security Command Center Enterprise, such as thePosture Overview page,grant users therequired IAM rolesin the organization where Security Command Center Enterprise is activated.

The steps to grant access to features is different depending on the identityprovider configuration.

• If you use Google Workspace or Cloud Identity as the identity provider,you grant roles directly to a user or group. SeeConfigure a Google Cloud identity providerfor an example of how to do this.

• If you use Workforce Identity Federation to connect to a third-party identityprovider (such as Okta or Azure AD), you grant roles to identities in aworkforce identity pool or to a group within the workforce identity pool.

  SeeConfigure feature access control using IAMfor examples of how to grant SIEM-related features and SOAR-related featuresto a workforce identity pool.

  Make sure the workforce pools include permissions to accessSecurity Command Center-specific features in Security Operations console pages. The followingare examples:

  • To grant the Security Center Admin Viewer role to all users in a workforceidentity pool, run the following command:

    gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID\--roleroles/securitycenter.adminViewer\--member"principalSet://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/*"\--conditionNone

    Replace the following:

    • ORGANIZATION_ID: the numeric organization ID.
    • WORKFORCE_POOL_ID: the value you defined for theworkforce identity pool ID.

  • To grant the Security Center Admin Viewer roles to a specific group, run the following commands:

    gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID\--roleroles/securitycenter.adminViewer\--member"principalSet://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/group/GROUP_ID"\--conditionNone

    ReplaceGROUP_ID: a group in the mappedgoogle.groups claim.