We are currently experiencing an issue where some users are unable to access Google SecOps.
Could you please comment on possible causes?
■Premise
- Cloud Identity is used as the IdP.
- SOAR Migration is complete, and SOAR permissions have been migrated to IAM.
- Users belonging to the group granted the Chronicle SOAR Admin permission can log in.
- During SOAR Migration, a custom role equivalent to Basic was created in SOAR Permissions, but users in the group to which this custom role was granted cannot log in.
- We have confirmed that the custom role includes the instance.get permission.
■Actions Taken
- After granting IAM roles to each group, we registered the groups and members in SecOps' IAM Role Mapping following the procedure below:
https://docs.cloud.google.com/chronicle/docs/soar/admin-tasks/user-secops/map-users-in-the-secops-platform-first-party
■Desired Outcome
We would like to differentiate permissions between SOAR administrators and members.
Administrator: Chronicle SOAR Admin
Members: Equivalent to BASIC SOAR Permissions (with custom roles generated during SOAR Migration)
■ Questions
- Could you please tell me what is necessary to achieve what I want to do?
- What should I register in the IAM ROLE column of IAM Role Mapping: a group or an IAM ROLE?
→ The column name is IAM ROLE, but I'm actually unsure whether to register a group or the name of an IAM role.
Initially, an IAM ROLE called Chronicle SOAR Admin was registered.
I have already submitted a request for confirmation to support, but since I am in a hurry, I would like to confirm the general specifications here as well.
I look forward to your reply.
Regards,