Skip to main content
Question

Google SecOps (Chronicle) – Viewer users cannot access SecOps UI unless SOAR Admin role is granted

  • February 12, 2026
  • 3 replies
  • 128 views
bilalqureshi00006
Forum|alt.badge.img+1

Environment

  • Google Security Operations (Chronicle)

  • Cloud Identity (no Workforce Federation)

  • Using IAM + Data Access Scopes

  • Single Chronicle instance

Goal

We want:

  • Admins → full access to SecOps and all logs

  • Dev users (Google group)

    • can access SecOps UI

    • cannot see Google Workspace logs

    • restricted using Data Access Scopes

Dev IAM roles

Assigned to dev group:

  • Chronicle Service Viewer

  • Chronicle API Editor

  • Chronicle API Restricted Data Access (conditional scope)

No admin roles assigned.

IAM Role Mapping (SecOps)

We configured:

Admin

  • IAM role: Chronicle Service Admin

  • SOC role: Administrator

Viewer

  • IAM role: Chronicle Service Viewer

  • SOC role: Tier1

  • Permission group: View-Only

API

  • IAM role: Chronicle API Editor

  • SOC role: Tier1

Problem

Dev users cannot open SecOps UI.

They get:

“Could not find any matching group mappings for the user in SOAR”

However, if we temporarily assign:

Chronicle SOAR Admin

login works immediately.

So viewer users can only log in when given admin-level roles, which we do not want.

Observations

  • Login token shows idp_groups = user email (no Google Group info)

  • Group mapping field clears after saving

  • Domain mapping does not work

  • Viewer + Tier1 mapping still cannot log in

  • Only SOAR Admin role allows access

Questions

What is the correct configuration to allow:

Viewer users → access SecOps UI
but restricted via Data Access Scopes

without granting:

Chronicle SOAR Admin

Do roles need to be assigned at the Chronicle instance level rather than project level?
Is there a required baseline SOC role for login in SecOps?

Any guidance from others who implemented restricted viewer access would be appreciated.

3 replies

kentphelps
Staff
Forum|alt.badge.img+12
  • kentphelps
  • Staff
  • February 20, 2026

To set up users with SOAR-only permissions

  1. Define either a predefined role or a custom role. The custom role must contain the following minimum permissions:
    • chronicle.instances.get
    • chronicle.preferenceSets.get.
  2. If you're using the Cloud Identity Provider, map user email groups into the email group mapping page.
  3. If you're using a third-party identity provider, map IdP groups into the IdP group mapping page. You can choose the control access parameters that meet your needs. For more information see, control access parameters.
    bilalqureshi00006
    Forum|alt.badge.img+1

    Thanks for your reply , I followed the previous technical suggestions, but the issue persists. Here is a summary of my current configuration and the remaining blockers:

    1. What I have configured:

    • IAM Conditions: I added the role Chronicle API Restricted Data Access to the user demo@example.com with the exact CEL condition: resource.name.endsWith("/dataAccessScopes/dev-sec-ops").

    • SOAR Mapping: I created a direct mapping in SOAR Settings > IAM Role Mapping where the IAM Role field is demo@example.com, assigned to SOC Role: Tier1 and Environment: dev-sec-ops.

    • Scope & Rules: The scope dev-sec-ops exists in the SIEM and is correctly assigned to specific UDM rules.

    2. The problems that remain:

    • Login Failure: The user demo@ still gets the error: "Could not find any matching group mappings for the user in SOAR." It only works if I grant Chronicle SOAR Admin, which I must avoid.

    • Scope Disconnect: The "Groups Assigned" column in the Scopes UI remains empty despite the IAM condition being active.

    • Missing Master Switch: The "Enforce Data Access" button is not visible in the Assignments tab, even though I have Chronicle API Admin permissions.

    Current Blockers: Why is the SOAR engine failing to recognize the individual email mapping, and why won't the platform allow me to "Enforce" the data access scopes?

    kentphelps
    Staff
    Forum|alt.badge.img+12
    • kentphelps
    • Staff
    • February 23, 2026

    The core of the issue is that while you have assigned IAM roles to an individual user, the SOAR engine specifically looks for "Group" mappings to authorize access and display scoped assignments.  Instead of mapping demo@example.com in the IAM Role Mapping settings, the SOAR engine is designed to handle Groups as the primary identity unit for role assignment.  Create a group with your desired mappings and add demo@example.com to that group.

    Some good resources:

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.