Skip to main content
Solved

Feature RBAC for Data RBAC restricted Admins

  • December 4, 2024
  • 5 replies
  • 127 views
nahatx
Forum|alt.badge.img+4

Hi, does anyone have the greediest set of permissions that could be granted to a custom GCP IAM role in tandem to Chronicle API Restricted Data Access without violating data RBAC?

As a partial example, looking at Chris Martin's Data RBAC blog here, he shows adding the permissions needed to create rules when granting Chronicle API Restricted Data Access Viewer. I'm using https://cloud.google.com/chronicle/docs/reference/feature-rbac-permissions-roles as a reference, but this doc doesn't cover every permission.

Alternatively, does anyone have a list of all permissions that elevate a user to Global scope? With the idea being to then remove those from a custom role copy of Chronicle API Admin.

Thanks.

Best answer by cmmartin_google

Not an authoritative answer for the Product Team, but I think if something isn't on that link you mentioned then I would consider it may not be tested to be safe for Data RBAC, and like the example you've found it would then need raising up back to us for evaluation (I've mentioned the above item to Eng colleagues), but there is roadmap work to expand the coverage of feature for Data RBAC.

I don't know about a pre-defined roles either am afraid.  I have thought for now it may be more effective to have some community Terraform IAM roles which could solve for this.

5 replies

cmmartin_google
Staff
Forum|alt.badge.img+11

A user would become a  "Global user" if they have chronicle.globalDataAccessScopes.permit permission, so ensure you don't have this in your custom role.

    nahatx
    Forum|alt.badge.img+4
    • nahatxBronze 3
    • Author
    • Bronze 3
    • December 5, 2024

    A user would become a  "Global user" if they have chronicle.globalDataAccessScopes.permit permission, so ensure you don't have this in your custom role.


    Thanks for the reply, Chris.

    As I dig deeper into this, my concern is that even if a user is not a "Global user", data RBAC can still easily be violated. Certain features that can do so are documented here (such as Looker dashboards, etc). But I'm also finding that there are other undocumented potential impacts and edge cases. For example, if enabling permissions required for parser UI management, the sample log provided when creating a custom parser doesn't abide by data RBAC scopes.

    Are there plans to address some of these issues and/or eventually release a pre-defined Chronicle API Restricted Data Access Editor/Admin role? 

    cmmartin_google
    Staff
    Forum|alt.badge.img+11

    Not an authoritative answer for the Product Team, but I think if something isn't on that link you mentioned then I would consider it may not be tested to be safe for Data RBAC, and like the example you've found it would then need raising up back to us for evaluation (I've mentioned the above item to Eng colleagues), but there is roadmap work to expand the coverage of feature for Data RBAC.

    I don't know about a pre-defined roles either am afraid.  I have thought for now it may be more effective to have some community Terraform IAM roles which could solve for this.

      nahatx
      Forum|alt.badge.img+4
      • nahatxBronze 3
      • Author
      • Bronze 3
      • December 5, 2024

      Not an authoritative answer for the Product Team, but I think if something isn't on that link you mentioned then I would consider it may not be tested to be safe for Data RBAC, and like the example you've found it would then need raising up back to us for evaluation (I've mentioned the above item to Eng colleagues), but there is roadmap work to expand the coverage of feature for Data RBAC.

      I don't know about a pre-defined roles either am afraid.  I have thought for now it may be more effective to have some community Terraform IAM roles which could solve for this.


      Gotcha, thank you again for the responses and super useful blog posts. I'll continue just being careful when adding permissions for the time being.

      dnehoda
      Staff
      Forum|alt.badge.img+16
      • dnehoda
      • Staff
      • December 5, 2024

      Thanks for the reply, Chris.

      As I dig deeper into this, my concern is that even if a user is not a "Global user", data RBAC can still easily be violated. Certain features that can do so are documented here (such as Looker dashboards, etc). But I'm also finding that there are other undocumented potential impacts and edge cases. For example, if enabling permissions required for parser UI management, the sample log provided when creating a custom parser doesn't abide by data RBAC scopes.

      Are there plans to address some of these issues and/or eventually release a pre-defined Chronicle API Restricted Data Access Editor/Admin role? 


      I think you're mixing worlds though.  

      Feature RBAC could restrict viewing that isn't allowed through data RBAC (ie. dashboard data)  We'd need some specifics to get those scenarios nailed down. 

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.