Environment
-
Google Security Operations (Chronicle)
-
Cloud Identity (no Workforce Federation)
-
Using IAM + Data Access Scopes
-
Single Chronicle instance
Goal
We want:
-
Admins β full access to SecOps and all logs
-
Dev users (Google group) β
-
can access SecOps UI
-
cannot see Google Workspace logs
-
restricted using Data Access Scopes
-
Dev IAM roles
Assigned to dev group:
-
Chronicle Service Viewer
-
Chronicle API Editor
-
Chronicle API Restricted Data Access (conditional scope)
No admin roles assigned.
IAM Role Mapping (SecOps)
We configured:
Admin
-
IAM role: Chronicle Service Admin
-
SOC role: Administrator
Viewer
-
IAM role: Chronicle Service Viewer
-
SOC role: Tier1
-
Permission group: View-Only
API
-
IAM role: Chronicle API Editor
-
SOC role: Tier1
Problem
Dev users cannot open SecOps UI.
They get:
βCould not find any matching group mappings for the user in SOARβ
However, if we temporarily assign:
Chronicle SOAR Adminlogin works immediately.
So viewer users can only log in when given admin-level roles, which we do not want.
Observations
-
Login token shows
idp_groups = user email(no Google Group info) -
Group mapping field clears after saving
-
Domain mapping does not work
-
Viewer + Tier1 mapping still cannot log in
-
Only SOAR Admin role allows access
Questions
What is the correct configuration to allow:
Viewer users β access SecOps UI
but restricted via Data Access Scopeswithout granting:
Chronicle SOAR AdminDo roles need to be assigned at the Chronicle instance level rather than project level?
Is there a required baseline SOC role for login in SecOps?
Any guidance from others who implemented restricted viewer access would be appreciated.