How can we use group email addresses to assign permission groups and SOC roles in SOAR regardless of what IAM roles they were given in the project IAM? (e.g. Two groups with the same IAM role but who should have different permissions and SOC Roles in SOAR?)
I tried to use the email address of a google group instead of a IAM Role Name but it doesn't seem to work.
Docs: https://cloud.google.com/security-command-center/docs/map-users-in-secops
Hi @ar3diu ! In Chronicle SOAR, group email addresses can only be used for direct user mapping, not as substitutes for IAM roles in the IAM Role Mapping section.
If two Google Groups have the same IAM role, SOAR cannot differentiate them just by email — IAM role mapping uses IAM roles only, not group identity. try this
Use email-based user/group mapping instead of IAM role mapping.
Go to SOAR Settings → User Management and assign permission groups and SOC roles directly to the group email address there.
Or, assign different IAM roles to each Google Group in Cloud IAM, then map those roles in SOAR to different permissions/SOC roles.
Unfortunately, IAM Role Mapping in SOAR doesn’t support differentiating groups with the same IAM role.
Hi @ar3diu ! In Chronicle SOAR, group email addresses can only be used for direct user mapping, not as substitutes for IAM roles in the IAM Role Mapping section.
If two Google Groups have the same IAM role, SOAR cannot differentiate them just by email — IAM role mapping uses IAM roles only, not group identity. try this
Use email-based user/group mapping instead of IAM role mapping.
Go to SOAR Settings → User Management and assign permission groups and SOC roles directly to the group email address there.
Or, assign different IAM roles to each Google Group in Cloud IAM, then map those roles in SOAR to different permissions/SOC roles.
Unfortunately, IAM Role Mapping in SOAR doesn’t support differentiating groups with the same IAM role.
So in SOAR Settings > User Management there is no option to add a new entry. If I go to Group Mapping then here's where I added IAM Role Names as the Group. I tried to add the group email address instead of the IAM Role but it did not work.
Hi @ar3diu ! In Chronicle SOAR, group email addresses can only be used for direct user mapping, not as substitutes for IAM roles in the IAM Role Mapping section.
If two Google Groups have the same IAM role, SOAR cannot differentiate them just by email — IAM role mapping uses IAM roles only, not group identity. try this
Use email-based user/group mapping instead of IAM role mapping.
Go to SOAR Settings → User Management and assign permission groups and SOC roles directly to the group email address there.
Or, assign different IAM roles to each Google Group in Cloud IAM, then map those roles in SOAR to different permissions/SOC roles.
Unfortunately, IAM Role Mapping in SOAR doesn’t support differentiating groups with the same IAM role.
So in SOAR Settings > User Management there is no option to add a new entry. If I go to Group Mapping then here's where I added IAM Role Names as the Group. I tried to add the group email address instead of the IAM Role but it did not work.
How do you fix this finally?
I got the similar issue; I would want assign some of my team member out of the admin group.
However, I have no way to set them.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.