GCP has over a few thousand built in (predefined) roles for a variety of activities. (Also Read AWS Work functions mapped to policies in AWS)
Organizational Level Work Functions
  • Organization Policy > Organization Policy Admin. This grants permissions to set organization-level Cloud IAM policies.
  • Organization Policy > Organization Policy Viewer. This grants permissions to view the Cloud IAM policies that apply to the organization.
  • IAM > Security Reviewer. This grants permissions to view all resources for the organization, and to view the Cloud IAM policies that apply to them.
  • Roles > Organization Role Viewer. This grants permissions to view all custom Cloud IAM roles in the organization, and to view the projects that they apply to.
  • Security Center > Security Center Admin. This grants administrator access to the security command center.
  • Resource Manager > Folder IAM Admin. This grants permissions to set folder-level Cloud IAM policies.
  • Logging > Private Logs Viewer. This grants read-only access to Cloud Logging features, including the ability to read private logs.
  • Logging > Logs Configuration Writer. This grants permissions to create logs-based metrics and export sinks.
  • Kubernetes Engine > Kubernetes Engine Viewer. This grants read-only access to Kubernetes Engine resources.
  • Compute Engine > Compute Viewer. This grants read-only access to Compute Engine resources.
  • BigQuery > BigQuery Data Viewer. This grants permissions for BigQuery datasets.

Security Work Functions - Level 1 Access - Security Auditor Only (Read Only Roles)

Don't need to be an Org Owner or an Org Admin, but we would need:
  1. roles/resourcemanager.organizationViewer
  2. roles/iam.securityReviewer
The latter of these is an all inclusive, global security reader that is similar to AWS' SecurityAudit Managed Policy. It is a read-only predefined role.
Level 2 Access - Actual Remediation Tasks based on Security Command Center Findings
In order to perform remediation tasks, as well as spin up test resources (including new VPCs and resources within), these are some predefined GCP roles that would be needed:
  1. Shared VPC Admin ( at the Org level)
  2. Network Admin  (at the Org level)
  3. Security Admin  (at the Org level)

Compute Admins

Compute Admin - Compute.*

Network Admins (not the same as security admins)

- Networking Resources EXCEPT firewall rules and SSL Certificates

- network admin doesn't get to manage FW rules, even though FW Rules exist at the VPC level - and a network admin can create/manage the VPC (but not the rules)

Storage Admins

- Can manage Disks, Images, Snapshots





Need an experienced Cloud Networking or a Cloud Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.