+9How can we use group email addresses to assign permission groups and SOC roles in SOAR regardless of what IAM roles they were given in the project IAM? (e.g. Two groups with the same IAM role but who should have different permissions and SOC Roles in SOAR?)
I tried to use the email address of a google group instead of a IAM Role Name but it doesn't seem to work.
Docs: https://cloud.google.com/security-command-center/docs/map-users-in-secops
+6Hi @ar3diu ! In Chronicle SOAR, group email addresses can only be used for direct user mapping, not as substitutes for IAM roles in the IAM Role Mapping section.
If two Google Groups have the same IAM role, SOAR cannot differentiate them just by email — IAM role mapping uses IAM roles only, not group identity. try this
Use email-based user/group mapping instead of IAM role mapping.
Go to SOAR Settings → User Management and assign permission groups and SOC roles directly to the group email address there.
Or, assign different IAM roles to each Google Group in Cloud IAM, then map those roles in SOAR to different permissions/SOC roles.
Unfortunately, IAM Role Mapping in SOAR doesn’t support differentiating groups with the same IAM role.
+9Hi @ar3diu ! In Chronicle SOAR, group email addresses can only be used for direct user mapping, not as substitutes for IAM roles in the IAM Role Mapping section.
If two Google Groups have the same IAM role, SOAR cannot differentiate them just by email — IAM role mapping uses IAM roles only, not group identity. try this
Use email-based user/group mapping instead of IAM role mapping.
Go to SOAR Settings → User Management and assign permission groups and SOC roles directly to the group email address there.
Or, assign different IAM roles to each Google Group in Cloud IAM, then map those roles in SOAR to different permissions/SOC roles.
Unfortunately, IAM Role Mapping in SOAR doesn’t support differentiating groups with the same IAM role.
So in SOAR Settings > User Management there is no option to add a new entry. If I go to Group Mapping then here's where I added IAM Role Names as the Group. I tried to add the group email address instead of the IAM Role but it did not work.
+1Hi @ar3diu ! In Chronicle SOAR, group email addresses can only be used for direct user mapping, not as substitutes for IAM roles in the IAM Role Mapping section.
If two Google Groups have the same IAM role, SOAR cannot differentiate them just by email — IAM role mapping uses IAM roles only, not group identity. try this
Use email-based user/group mapping instead of IAM role mapping.
Go to SOAR Settings → User Management and assign permission groups and SOC roles directly to the group email address there.
Or, assign different IAM roles to each Google Group in Cloud IAM, then map those roles in SOAR to different permissions/SOC roles.
Unfortunately, IAM Role Mapping in SOAR doesn’t support differentiating groups with the same IAM role.
So in SOAR Settings > User Management there is no option to add a new entry. If I go to Group Mapping then here's where I added IAM Role Names as the Group. I tried to add the group email address instead of the IAM Role but it did not work.
How do you fix this finally?
I got the similar issue; I would want assign some of my team member out of the admin group.
However, I have no way to set them.
can we get final solution of this topic?
i am also stuck at the same .
+9
What worked for me so far:
1.
2.
3.
Note: Apart from this, I have also mapped all predefined Chronicle IAM roles (Admin, Editor, and Viewer) in each instance. I am a bit skeptical of approach number three, as I do not think it works as expected. Based solely on my experience, the recommended path right now is approach number one. This is not ideal at all, as permissions evolve and I do not want to maintain a custom IAM role.
References:
- https://medium.com/@HavSec/deciphering-google-secops-soar-iam-access-control-the-post-migration-reality-a571236a5b29
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
