Question

I am getting a 401 error when trying to log in to Google SecOps.

Forum|Forum|2 months ago
March 26, 2026
5 replies
121 views

+4

keiS
Bronze 5

We are currently experiencing an issue where some users are unable to access Google SecOps.

Could you please comment on possible causes?

■Premise
- Cloud Identity is used as the IdP.
- SOAR Migration is complete, and SOAR permissions have been migrated to IAM.
- Users belonging to the group granted the Chronicle SOAR Admin permission can log in.
- During SOAR Migration, a custom role equivalent to Basic was created in SOAR Permissions, but users in the group to which this custom role was granted cannot log in.
- We have confirmed that the custom role includes the instance.get permission.

■Actions Taken
- After granting IAM roles to each group, we registered the groups and members in SecOps' IAM Role Mapping following the procedure below:
https://docs.cloud.google.com/chronicle/docs/soar/admin-tasks/user-secops/map-users-in-the-secops-platform-first-party

■Desired Outcome
We would like to differentiate permissions between SOAR administrators and members.

Administrator: Chronicle SOAR Admin
Members: Equivalent to BASIC SOAR Permissions (with custom roles generated during SOAR Migration)
■ Questions
- Could you please tell me what is necessary to achieve what I want to do?

- What should I register in the IAM ROLE column of IAM Role Mapping: a group or an IAM ROLE?
→ The column name is IAM ROLE, but I'm actually unsure whether to register a group or the name of an IAM role.

Initially, an IAM ROLE called Chronicle SOAR Admin was registered.

I have already submitted a request for confirmation to support, but since I am in a hurry, I would like to confirm the general specifications here as well.

I look forward to your reply.

Regards,

William 17
Bronze 1
Forum|Forum|2 months ago
March 27, 2026

the premise is the cloud identy but not the IDP

Like

William 17
Bronze 1
Forum|Forum|2 months ago
March 27, 2026

and the role is IAM

Like

+11

hzmndt
Staff
Forum|Forum|2 months ago
March 28, 2026

You will need to map the users in the SOAR - IAM Role Mapping

IAM Role → your IAM role configured
Permission Groups
SOC Roles
Environments
Group Memebers → The user email

IAM Role Mapping

Map your IDP Groups / IAM users with the relevant access to Permission Groups, SOC Roles and Environments.
If you have set up identity using Workforce Identity Federation, please map IDP Groups to the desired Permission Groups, SOC Roles and Environments below.Read More about IDP Mappings.
If you have set up identity using Cloud Identity, please map your user emails to an email user group and the desired Permission Groups, SOC Roles and Environments below. Read More about User Email Mappings.

Like

+4

keiS
Author
Bronze 5
Forum|Forum|2 months ago
March 31, 2026

Thank you for your response.

------

If you have set up identity using Cloud Identity, please map your user emails to an email user group and the desired Permission Groups, SOC Roles, and Environments below. Read More about User Email Mappings.

------

Regarding this, Google Cloud support responded that after SOAR migration, predefined SOAR roles should be registered in IAM Role Mapping, and email groups should not be registered. Therefore, currently, the following two are registered:
- Chronicle SOAR Admin
- Chronicle SOAR Threat Manager

However, while users belonging to the group where Chronicle SOAR Admin is registered can log in, users belonging to the group where Chronicle SOAR Threat Manager is registered cannot log in (401 Error).

The group where Chronicle SOAR Threat Manager is registered has the following three IAM roles assigned to it.

• Chronicle API Editor
• Chronicle SOAR Threat Manager
• Custom role created by a command automatically generated during SOAR migration (equivalent to Basic in Permissions Group)

What could be the cause?