Access a Google SecOps instance
This guide helps Google SecOps administrators configure user access to a newly provisioned Google SecOps instance. Properly configuring access control and understanding how to troubleshoot common issues is crucial for maintaining security and operational efficiency.
Before you begin
- Confirm that you completed the initial Google SecOps instance setup. For more information, see Link a Google SecOps instance to Google Cloud services.
You must have administrative privileges in both Google Cloud IAM and Google SecOps. For more information, see Required roles and permissions.
Make sure your identity provider (IdP) group or email has been granted the
Chronicle API Adminrole within Google Cloud IAM.Familiarize yourself with the authentication method chosen for your instance: Cloud Identity or Workforce Identity Federation.
Configure user access
Sign in to the Google SecOps instance and complete the following steps to enable users to access the instance.
Configure users: Work with your Identity Admin to configure the users in your chosen authentication setup:
- Cloud Identity: You need to add user accounts to Cloud Identity. For more information, see Configure a Google Cloud Identity provider.
Third-party identity provider:
- You need to add user and group accounts to the third-party identity provider.
- You must configure users and groups as part of setting up the Workforce Identity Federation. For more information, see Configure a third-party identity provider.
Grant IAM roles: Assign users the specific predefined or custom roles in IAM based on the features they need to access. For more information, see Configure feature access control using IAM.
Map SOAR permissions: Map users to the required SOAR environments, SOAR permission groups (if you haven't migrated to IAM), and SOAR SOC roles on the Group Mapping page. For more information, see Control access to the platform.
Disable the default SOAR access settings
By default, the SOAR Group Mapping page enables the Default Access Settings toggle. This grants the following to any users and groups who are not explicitly defined in the Group Mapping table:
- The Administrator SOC role
- Access to All environments
- Admins permission group (if you haven't completed Permission Groups Migration to Google Cloud IAM)
After you configure the required records (rows) in the Group Mappings table, we recommend that you disable the Default Access Settings toggle to enforce the principle of least privilege.
Troubleshoot access issues
If users have trouble logging in to Google SecOps, the IAM configuration in the Google Cloud project linked to your Google SecOps instance might be the cause.
For example, users might see the following error message: Cannot Authenticate user, because user does not have access to the GCP project associated with this Chronicle customer.
This error typically means the associated Google Cloud project does not grant the necessary IAM roles to the user's account or group.
Common causes and solutions
| Error | Description | Solution |
|---|---|---|
| User or group missing from IAM configuration | The linked Google Cloud project's IAM policy might not include the user or group, or an administrator might have removed them. |
|
| Incorrect IAM roles | The user or group is included in the IAM configuration, but they lack the specific roles required to access the Google SecOps instance. |
|
| Recent IAM changes | An administrator or automation tool might have recently modified the IAM policies, inadvertently affecting user access. |
|
For more information on required roles, see Configure feature access control using IAM.
Need more help? Get answers from Community members and Google SecOps professionals.