Skip to main content

Table of Contents

 

129280i57BB52E0071AEA8F.png

Google SecOps Initial Configuration will provide administrative access to the platform. This is the first requirement in product adoption, and includes integration with your chosen Identity and Access Management (IAM) software to ensure user and role consistency across your portfolio.

 

Prerequisites

Access to the Homepage and its features, requires the user to have access, and a valid authentication. Users must be provided access and authentication from the organization’s administrator(s).

 

Actions

129281i3BD8A16AF9F03031.png
 
Configure GCP for GSO

A Google Cloud project is required to use Google Workspace APIs. It is the overarching entity to group services, APIs, billing, collaborators, and managing permissions within your Google Cloud environment.

 

 

Prerequisites
  • Access to manage Projects inside of your company’s Google Workspace. 
  • Your company should have the Project Creator permission at the organization level, no additional permissions should be required.

Steps
  1. In the Google Cloud console, users will select Navigation Menu129288i2BD6D5593F7D271B.png
  2. A popout menu will appear, users will select IAM & Admin, and select Create a Project.
  3. In the Project Name field, enter a descriptive name for your project.
    • Optional: To edit the Project ID, click Edit. The project ID can't be changed after the project is created, so choose an ID that will meet the needs for the lifetime of the project.
  4. In the Location field, click Browse to display potential locations for the project. Then, click Select.

  5.  Once completed, users will select Create. The Google Cloud console navigates to the Dashboard page and your project is created within a few minutes.

  6. Users’ service account will exist in a project maintained by Google SecOps. Users will see this permission grant by navigating to the IAM page of their Google Cloud project selecting the Include Google-provided Role Grants checkbox in the upper right-hand corner.
  7. If users don't see the new service account, they can check the Include Google-provided Role Grants button is enabled on the IAM page.
Relevant Documentation Links

 

 

129282iE619D2BFB1FD61FF.png

Grant Access

In Google SecOps you can use the Google Cloud console and the gcloud CLI to quickly grant or revoke a single role for a single principal, without editing the resource's allow policy directly.

 

 

Prerequisites
  • Access to manage Projects inside of your company’s Google Workspace. 
  • Your company should have the Project Creator permission at the organization level, no additional permissions should be required.

Steps
  1. In the Google Cloud console, users will go to the IAM page.
  2. Select a Project, Folder, or Organization.
  3. Select a Principal to grant a role to:
    1. To grant a role to a Principal who already has other roles on the resource, find a row containing the Principal, click Edit Principal in that row, and click Add Another Role.
    2. To grant a role to a Principal who doesn't have any existing roles on the resource, click the Grant Access button, then enter the Principal's email address or other identifier.
  4. The Select a Role dropdown menu will appear. Select a role to grant from the drop-down list. For best security practices, choose a role that includes only the permissions that your principal needs. with the following options:
    1. Browser
    2. Editor
    3. Owner
    4. Viewer
  5. To grant a role to a Service Agent, select the Include Google-provided Role Grants checkbox to see its email address.
  6. Optional: Add a condition to the Role.
  7. Click Save. The Principal is granted the role on the resource.
  8. To grant a role to a Principal for more than one project, folder, or organization, users will select Manage Resources in the IAM & Admin menu on the left side of the page.
  9. Select all the Resources for the selections the user wants to grant permissions to.
  10. If the info panel is not visible, click Show Info Panel. Then, click Permissions.
  11. Select a Principal to grant a role to:
    1. To grant a role to a principal who already has other roles, find a row containing the principal, click Edit Principal button in that row, and click Add Another Role.
    2. To grant a role to a Principal who does not already have other roles, click Add Principal button, then enter the principal's email address or other identifier.
  12. Select a role to grant from the drop-down list.
  13. Click Save. The Principal is granted the selected role on each of the selected resources.
Relevant Documentation Links

 

 

129283i54C5959F7134665C.png

Configure IDP Integration

Identity Platform is a CIAM system that can help you add identity and access management functionality to your Google Cloud projects. You can use Cloud Identity, Google Workspace, or a third-party identity provider to manage users, groups, and authentication.

 

 

Prerequisites
  • Google Cloud project set up for Google SecOps
  • Billing enabled for Google Cloud Project

Steps
  1. Users will select a  Project from the dropdown at the top of the Google Cloud Console.
  2. Navigate to the Side Bar select View All Products. Users will then look for the Tools section and select the Identity Platform page (Users can pin the selection also).
  3. Click Enable Identity Platform.
  4. Navigate to the Identity Providers Page and click Add a Provider.
  5. Click the Enabled toggle to on, click Save
  6. Navigate to the Users page
  7. Click Add user.
  8. In the Email field, enter an Email and Password. Make a note of both of these values because you will need them in a later step.
  9. To add the user, click Add. The new user is listed on the Users Page.
Relevant Documentation Links

 

 

129284i95F8BE402F2739D3.png
Configure 3rd Party IDP

If your organization uses an external Identity Provider (IdP), you will need to configure federation to allow your users, contractors, and partners to authenticate to IAM and Google Console.

 

 

Prerequisites
Steps
  1. Users will navigate to Google SecOps.
  2. Google SecOps looks up IdP information in the Google Cloud workforce identity pool.
  3. A request is sent to the IdP.
  4. The SAML assertion is sent to the Google Cloud workforce identity pool.
  5. If authentication is successful, Google SecOps receives only the SAML attributes defined when you configured the workforce provider in the workforce identity pool.
  6. User will define workforce identity pool and provider details.
  7. Then define User Attributes and Groups in the IdP
  8. Create a SAML Application in the IdP and configure it.
  9. Configure workforce identity federation in Google Cloud.
  10. Create and Configure a Workforce Identity Pool.
  11. Create a Workforce Identity Pool.
  12. Grant a role to enable sign into Google SecOps.
  13. Verify or configure Google SecOps feature access control.
  14. Opt] Modify Workforce Identity Federation configuration.
Relevant Documentation Links

 

 

 

129285i803E84726B72778F.png

Configure Access Control IAM

Google SecOps integrates with Google Cloud Identity and Access Management (IAM) to provide Google SecOps-specific permissions and predefined roles. Google SecOps administrators can control access to features by creating IAM policies.

 

 

Prerequisites
  • Access to manage Projects inside of your company’s Google Workspace.
  • Google SecOps must be bound to a Google Cloud project and configured with either Cloud Identity, Google Workspace, or Google Cloud workforce identity federation as an intermediary in the authentication flow to a third-party identity provider.
Steps
  1. After logging on to Google SecOps, a user accesses a Google SecOps application page. Alternatively, the user may send an API Request to Google SecOps.
  2. Google SecOps verifies the permissions granted in the IAM policies defined for that user.
  3. IAM returns the authorization information. If the user accessed an application page, Google SecOps enables access to only those features that the user has been granted access to.
  4. If the user sent an API Request, and does not have permission to perform the requested action, the API Response includes an error. Otherwise, a standard response is returned.
  5. Google SecOps Permissions correspond one-to-one with Google SecOps API methods. Each Google SecOps Permission enables a specific action on a specific Google SecOps feature when using the Web Application or the API.
  6. To assign a Role to a user follow the steps in Grant Access section.
Relevant Documentation Links

 

 

 

129286iA11C269DA3D667F0.png

User Management

Google SecOps allows you to provision, authenticate, and map users with secure identification to the Google SecOps platform. This page illustrates the configuration process using Google Workspace as the external IdP. 

 

 

Prerequisites
  • Access to manage Projects inside of your company’s Google Workspace. 
Steps
  1. Users need to set up the SAML Attributes and the SAML groups in the external Identity Provider (IdP).
  2. Navigate to the SAML Attributes mapping section in the Google Workspace.
  3. Users will add the following four mandatory attributes:
    1. first_name
    2. last_name
    3. user_email
    4. Groups
  4. In the Google Groups section, users will write the names of the IdP Groups. As an example:
    1. Chronicle Admins
    2. Gcp-security-admins
  5. Users will need to take note of the group names, as they will need them later for mapping in the Google SecOps platform.
  6. To Control User Access, users will go into the SOAR Settings of the unified Google SecOps platform, there are several different ways to determine which users have access to which aspects of the platform.
    1. Permissions groups
    2. SOC roles
    3. Environments
  7. The combination of Permission Groups, SOC Roles, and Environments defines the Google SecOps user journey for each IdP Group in the Google SecOps platform.
  8. Users will need to map each IdP Group that you defined in the SAML settings procedure in the IdP Group Mapping page. (By default, the Google SecOps platform includes an IdP Group of default admins.)
  9. To map IdP groups, users will need to go into the Google SecOps platform, navigate to Settings > SOAR Settings > Advanced > IdP Group Mapping.
  10. Make sure the user has the names of the IdP Groups, they will select to map.
  11. Click the Add button and start mapping the parameters for each IdP Group.
  12. When finished, users will click Save. When each user logs in to the platform, they are automatically added to the User Management page (which is located in Settings > Organization .
  13. Note: Sometimes users will try to log into the Google SecOps platform but their IdP Group has not been mapped in the platform. In order for these users not to be rejected, Google recommends enabling and setting the Default Access Settings on this page. IdP users must be part of a single mapped IdP Group.
Relevant Documentation Links

 

 

Next Step: Security Operations: Step 1.2 - Administration | Admin Setup 

Previous Step: Security Operations: Step 1 - Administration 

Be the first to reply!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.