Mapping Individual Users in GCP IAM

Forum|Forum|1 year ago
November 5, 2024
4 replies
26 views

+2

jansch
Bronze 1

Hello everyone,

One of our customers is encountering the following error message when accessing SecOps SIEM.

We are using BYOID and following the setup guide from Chris Martin, see: https://medium.com/@thatsiemguy/linking-azure-idp-to-chronicle-secops-platform-ba649660d5fb

For this particular customer, there is an added complication: they do not have an Azure Entra ID P1 license and therefore are not allowed to assign a group to the Enterprise Application. They can only authorize individual users for the Enterprise App.

In GCP IAM, I mapped the Chronicle Viewer role to the following principal:

principalSet://iam.googleapis.com/locations/global/workforcePools/<WORKFORCE_POOL_ID>/attribute.userPrincipalName/<userPrincipalName>

Unfortunately, this does not seem to be working. Does anyone have any ideas?

Thank you!

+16

dnehoda
Staff
Forum|Forum|1 year ago
November 5, 2024

If you can change them permission assigned to the pool to chronicle editor or admin do you have different results?

Like

+2

jansch
Author
Bronze 1
Forum|Forum|1 year ago
November 5, 2024

just tested with the customer, the error message is the same.

Like

+16

dnehoda
Staff
Forum|Forum|1 year ago
November 5, 2024

just tested with the customer, the error message is the same.

I’ll try replicate in my lab. Assuming in your mappings you’re using a username rather than group?

Like

+2

jansch
Author
Bronze 1
Forum|Forum|1 year ago
November 5, 2024

I’ll try replicate in my lab. Assuming in your mappings you’re using a username rather than group?

yes, that's right.
Because of a missing P1 Entra ID license, the customer is not allowed to map groups.

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded