Managing IAM access for Security and Compliance Center
Access to the IBM Cloud® Security and Compliance Center is controlled by Cloud Identity and Access Management (IAM). Every user that accesses the Security and Compliance Center in your account must be assigned an access policy, with a defined IAM role. The policy determines which actions that a user can perform within the context of the Security and Compliance Center.
Policies enable access to be granted at different levels. Some options include the following actions:
- Access to manage profiles and controls
- Access to view security and compliance posture and results
- Access to manage event notifications
Roles and permissions
After you define the level of access that a user might need, you can assign them an access role. To understand which role should be assigned, review the following table to see which Security and Compliance Center actions can be completed by each role.
Last year, Security and Compliance Center transitioned from a global service to a regional service. As part of completing that migration, new IAM actions for Security and Compliance Center that are mapped to Service roles will be available on 7 June 2024. For more information about what this change means for you, see the release notes.
| Existing action | Description | Existing minimum required role | New minimum required role |
|---|---|---|---|
compliance.admin.settings-read |
View Security and Compliance Center settings for your account. | Viewer | Reader |
compliance.admin.settings-update |
Update Security and Compliance Center settings for your account. | Administrator | Manager |
compliance.admin.test-event-send |
Send a test event to a connected Event Notifications service instance. | Administrator | Manager |
compliance.configuration-governance.rules-create |
Create a rule. | Editor | Writer |
compliance.configuration-governance.rules-read |
View a rule. | Viewer | Reader |
compliance.configuration-governance.rules-update |
Update a rule. | Editor | Writer |
compliance.configuration-governance.rules-delete |
Delete a rule. | Editor | Writer |
compliance.posture-management.attachments-create |
Create an attachment. | Editor[1] | Writer[2] |
compliance.posture-management.attachments-read |
View the available attachments in your account. | Viewer[3] | Reader[4] |
compliance.posture-management.attachments-update |
Update an attachment. | Editor[5] | Writer[6] |
compliance.posture-management.attachments-upgrade |
Upgrade your attachment to use the latest version of a profile. | Editor | Writer |
compliance.posture-management.attachments-delete |
Delete an attachment. | Editor[7] | Writer[8] |
compliance.posture-management.control-libraries-create |
Create a control library. | Editor | Writer |
compliance.posture-management.control-libraries-read |
View the available control libraries in your account. | Viewer | Reader |
compliance.posture-management.control-libraries-update |
Update a control library. | Editor | Writer |
compliance.posture-management.control-libraries-delete |
Delete a control library. | Editor | Writer |
compliance.posture-management.controls-create |
Add a control to a profile. | Editor | Writer |
compliance.posture-management.controls-read |
View the controls that you can add to a profile. | Viewer | Reader |
compliance.posture-management.controls-update |
Update an existing control. | Editor | Writer |
compliance.posture-management.controls-delete |
Delete a control. | Editor | Writer |
compliance.posture-management.dashboard-view |
Access the Security and Compliance Center dashboard to view results. | Viewer | Reader |
compliance.posture-management.integrations-create |
Create an integration in Security and Compliance Center. | Operator | Writer |
compliance.posture-management.integrations-read |
View an integration in Security and Compliance Center. | Viewer | Reader |
compliance.posture-management.integrations-update |
Update an integration in Security and Compliance Center. | Operator | Writer |
compliance.posture-management.integrations-delete |
Delete an integration in Security and Compliance Center. | Editor | Writer |
compliance.posture-management.profiles-compare |
Compare two versions of the same profile to see how they differ. | Editor | Writer |
compliance.posture-management.profiles-create |
Create a profile. | Editor | Writer |
compliance.posture-management.profiles-read |
View profiles. | Viewer | Reader |
compliance.posture-management.profiles-update |
Update a profile. | Editor | Writer |
compliance.posture-management.profiles-delete |
Delete a profile. | Editor | Writer |
compliance.posture-management.reports-create |
Read results and reports. | Operator | Reader |
compliance.posture-management.scans-create |
Create a scan. | Administrator | Manager |
compliance.posture-management.scopes-create |
Create a scope. | Editor | Writer |
compliance.posture-management.scopes-read |
View scopes. | Viewer | Reader |
compliance.posture-management.scopes-update |
Edit a scope. | Editor | Writer |
compliance.posture-management.scopes-delete |
Delete a scope. | Editor | Writer |
compliance.posture-management.subscopes-create |
Create a subscope. | Editor | Writer |
compliance.posture-management.subscopes-read |
View subscopes. | Viewer | Reader |
compliance.posture-management.subscopes-update |
Edit a subscope. | Editor | Writer |
compliance.posture-management.subscopes-delete |
Delete a subscope. | Editor | Writer |
compliance.targets.create |
Create a target. | Editor | Writer |
compliance.targets.read |
View targets. | Viewer | Reader |
compliance.targets.update |
Update a target. | Editor | Writer |
compliance.targets.delete |
Delete a target. | Editor | Writer |
Required roles and permissions for enterprises
If you are working within an enterprise account and want to configure scans for Security and Compliance Center, you must have additional permissions for the enterprise service. You can choose to provide Administrator access or create a custom role with the following actions. For help creating a role, see Assigning access.
enterprise.enterprise.attach-config-rulesenterprise.enterprise.detach-config-rulesenterprise.enterprise.update-config-rulesenterprise.account-group.attach-config-rulesenterprise.account-group.detach-config-rulesenterprise.account-group.update-config-rulesenterprise.account.attach-config-rulesenterprise.account.detach-config-rulesenterprise.account.update-config-rulesenterprise.account.retrieveenterprise.account-group.retrieveenterprise.enterprise.retrieveglobal-search-tagging.resource.read
-
To create an attachment within an enterprise, you must also have permissions for the enterprise. You can provide Administrator access to the entire enterprise or create a custom role using the actions found in the following section. ↩︎
-
To create an attachment within an enterprise, you must also have permissions for the enterprise. You can provide Administrator access to the entire enterprise or create a custom role using the actions found in the following section. ↩︎
-
To create an attachment within an enterprise, you must also have permissions for the enterprise. You can provide Administrator access to the entire enterprise or create a custom role using the actions found in the following section. ↩︎
-
To create an attachment within an enterprise, you must also have permissions for the enterprise. You can provide Administrator access to the entire enterprise or create a custom role using the actions found in the following section. ↩︎
-
To create an attachment within an enterprise, you must also have permissions for the enterprise. You can provide Administrator access to the entire enterprise or create a custom role using the actions found in the following section. ↩︎
-
To create an attachment within an enterprise, you must also have permissions for the enterprise. You can provide Administrator access to the entire enterprise or create a custom role using the actions found in the following section. ↩︎
-
To create an attachment within an enterprise, you must also have permissions for the enterprise. You can provide Administrator access to the entire enterprise or create a custom role using the actions found in the following section. ↩︎
-
To create an attachment within an enterprise, you must also have permissions for the enterprise. You can provide Administrator access to the entire enterprise or create a custom role using the actions found in the following section. ↩︎