In the last few days I spend hours configuring data RBAC in Google Chronicle (Security Operations) SIEM to restrict users to specific data scopes using Workforce Identity Federation with Azure AD groups. The goal was simple: users in a specific AD group should only see data within their assigned scope, but despite anything and everything I tried nothing seemed to work as expected. I figured, I will share my findings here if somebody else bumps into similar problem.
Despite everything appearing correctly configured:
Workforce pool working
- IDP group showing correctly for the user
- IAM condition set on Restricted Data Access role
- Chronicle SIEM Settings showing correct scope binding
The user kept seeing "Scopes Assigned: (No scopes assigned)" or was getting global access instead of scoped access.
The predefined Chronicle roles (Chronicle API Editor, Chronicle API Viewer) contain the permission chronicle.globalDataAccessScopes.permit. This permission overrides any scope assignment, forcing the user to have global data access regardless of the Chronicle API Restricted Data Access role and its IAM conditions.
This is briefly mentioned in the documentation:
"Global access overrides scoped access. If a user is assigned both a global role and a scoped role, they have access to all data, regardless of any restrictions imposed by the scoped role."
However, it's not immediately obvious that the predefined roles themselves contain global permissions.
The Fix
Create a custom role instead of using the predefined ones:
1. Go to GCP IAM, Roles, Create Role
2. Copy all permissions from the predefined role (e.g., Chronicle API Editor)
3. Remove:
chronicle.globalDataAccessScopes.permit
chronicle.DataAccessScopes.permit (if exists)
4. Add:
chronicle.dataAccessScopes.list
5. Save as your custom role (e.g., Chronicle Scoped Editor)
Key Takeaways
- Never use predefined Chronicle API Editor/Viewer/Admin for scoped users, they silently override scopes
- Always create custom roles for scoped users with the global permit permissions removed
- Scope assignment is done via IAM Conditions on the Restricted Data Access role using CEL expressions
- For Workforce Identity Federation users, the Browser role at the GCP project level is required for authentication
- Verify IDP group claims are being sent as group names, not Object IDs (GUIDs), especially with Azure AD
Pro Tip
If you need multiple scoped roles (Viewer, Editor, Admin), follow the same pattern for each: Copy predefined role, remove global permits, add dataAccessScopes.list
Hope this saves someone the hours of troubleshooting!
REF:
https://docs.cloud.google.com/chronicle/docs/administration/datarbac-overview
https://docs.cloud.google.com/chronicle/docs/administration/configure-datarbac-users#create-manage-scopes
