Managing IAM access for Security and Compliance Center
Access to the IBM Cloud® Security and Compliance Center is controlled by Cloud Identity and Access Management (IAM). Every user that accesses the Security and Compliance Center in your account must be assigned an access policy, with a defined platform IAM role. The policy determines which actions that a user can perform within the context of the Security and Compliance Center.
Policies enable access to be granted at different levels. Some options include the following actions:
- Access to manage profiles and controls
- Access to view security and compliance posture and results
- Access to manage event notifications
Roles and permissions
After you define the level of access that a user might need, you can assign them a platform access role. Review the following tables that outline which roles are required to perform actions within the Security and Compliance Center.
The following tables list the platform access roles that are required to manage collectors, credentials, scopes, validations, and profiles in your accounts.
Action | Description | Minimum required role |
---|---|---|
compliance.admin.settings-read |
View Security and Compliance Center settings for your account. | Viewer |
compliance.admin.settings-update |
Update Security and Compliance Center settings for your account. | Administrator |
compliance.admin.test-event-send |
Send a test event to a connected Event Notifications service instance. | Administrator |
compliance.posture-management.attachments-create |
Create an attachment. | Editor[1] |
compliance.posture-management.attachments-delete |
Delete an attachment. | Editor[2] |
compliance.posture-management.attachments-read |
View the available attachments in your account. | Viewer[3] |
compliance.posture-management.attachments-update |
Update an attachment. | Editor[4] |
compliance.posture-management.control-libraries-create |
Create a control library. | Editor |
compliance.posture-management.control-libraries-delete |
Delete a control library. | Editor |
compliance.posture-management.control-libraries-read |
View the available control libraries in your account. | Viewer |
compliance.posture-management.control-libraries-update |
Update a control library. | Editor |
compliance.posture-management.control-library-create |
Create a control library. | Editor |
compliance.posture-management.control-library-delete |
Delete a control library. | Editor |
compliance.posture-management.control-library-read |
View the details of a control library. | Viewer |
compliance.posture-management.control-library-update |
Update a control library. | Editor |
compliance.posture-management.controls-create |
Add a control to a profile. | Editor |
compliance.posture-management.controls-delete |
Delete a control. | Editor |
compliance.posture-management.controls-read |
View the controls that you can add to a profile. | Viewer |
compliance.posture-management.controls-update |
Update an existing control. | Editor |
compliance.posture-management.dashboard-view |
View hybrid cloud results. | Viewer |
compliance.posture-management.integrations-create |
Create an integration in Security and Compliance Center. | Operator |
compliance.posture-management.integrations-delete |
Delete an integration in Security and Compliance Center. | Editor |
compliance.posture-management.integrations-read |
View an integration in Security and Compliance Center. | Viewer |
compliance.posture-management.integrations-update |
Update an integration in Security and Compliance Center. | Operator |
compliance.posture-management.profiles-create |
Create a profile. | Editor |
compliance.posture-management.profiles-delete |
Delete a profile. | Editor |
compliance.posture-management.profiles-read |
View profiles. | Viewer |
compliance.posture-management.profiles-update |
Update a profile. | Editor |
compliance.posture-management.reports-create |
Download a report. | Operator |
compliance.posture-management.reports-list |
View IBM Cloud results. | Operator |
compliance.posture-management.reports-read |
View IBM Cloud results. | Operator |
compliance.posture-management.scans-create |
Create a scan. | Editor |
compliance.posture-management.scans-delete |
Delete a scan. | Editor |
compliance.posture-management.scans-read |
View scans. | Viewer |
compliance.posture-management.scans-update |
Update scans. | Editor |
compliance.posture-management.scopes-create |
Create a scope. | Editor |
compliance.posture-management.scopes-delete |
Delete a scope. | Editor |
compliance.posture-management.scopes-read |
View scopes. | Viewer |
compliance.posture-management.scopes-update |
Edit a scope. | Editor |
compliance.configuration-governance.rules-create |
Create a rule. | Editor |
compliance.configuration-governance.rules-read |
View a rule. | Viewer |
compliance.configuration-governance.rules-update |
Update a rule. | Editor |
compliance.configuration-governance.rules-delete |
Delete a rule. | Editor |
Required roles and permissions for enterprises
If you are working within an enterprise account and want to configure scans for Security and Compliance Center, you must have additional permissions for the enterprise service. You can choose to provide Administrator access or create a custom role with the following actions. For help creating a role, see Assigning access.
enterprise.enterprise.attach-config-rules
enterprise.enterprise.detach-config-rules
enterprise.enterprise.update-config-rules
enterprise.account-group.attach-config-rules
enterprise.account-group.detach-config-rules
enterprise.account-group.update-config-rules
enterprise.account.attach-config-rules
enterprise.account.detach-config-rules
enterprise.account.update-config-rules
enterprise.account.retrieve
enterprise.account-group.retrieve
enterprise.enterprise.retrieve
global-search-tagging.resource.read
-
To create an attachment within an enterprise, you must also have permissions for the enterprise. You can provide Administrator access to the entire enterprise or create a custom role using the actions found in the following section. ↩︎
-
To create an attachment within an enterprise, you must also have permissions for the enterprise. You can provide Administrator access to the entire enterprise or create a custom role using the actions found in the following section. ↩︎
-
To create an attachment within an enterprise, you must also have permissions for the enterprise. You can provide Administrator access to the entire enterprise or create a custom role using the actions found in the following section. ↩︎
-
To create an attachment within an enterprise, you must also have permissions for the enterprise. You can provide Administrator access to the entire enterprise or create a custom role using the actions found in the following section. ↩︎