IBM Cloud Docs
Assigning access to Security and Compliance Center

Assigning access to Security and Compliance Center

As an account owner, you are automatically assigned Administrator platform access to Security and Compliance Center so that you can further assign roles and customize access policies for others.

Assigning access for an account

  1. Create an access group for the type of users that you want to give access to and add those users to the group. For example, you might have a team of compliance specialists that all need the same level of access.

  2. After you create a group and add users, go to the Manage > Access (IAM) > Access Groups page of the console.

  3. Select the name of the group that you want to assign access to.

  4. Click Access > Assign access.

  5. Assign the following permissions by selecting a service and reviewing the available roles and actions that are available for each option.

    Table. Minimum required permissions
    Service Minimum required permissions
    Security and Compliance Center Administrator
    Cloud Object Storage Reader
    Event Notifications Reader

    To review the full list of which permissions are required for each action and assign more granular access to Security and Compliance Center, see IAM actions for Security and Compliance Center.

  6. Click Add.

  7. Review your selections and click Assign.

Assigning access for an Enterprise

If you are working in an enterprise account, you must also assign permissions for the enterprise service.

You can assign Administrator access for the service, or you can create a custom role. When you assign permissions for an enterprise, you can give access to the full enterprise or specific accounts or account groups. To learn more about recommendations for enterprises, see Best practices for enterprises.

  1. In the console, go to Manage > Access (IAM) > Roles and click Create.
  2. Give your role a name, programmatic ID, and description. For example, Compliance focal, ComplianceFocal, and Permissions that are required for compliance focal to work with Security and Compliance Center.
  3. From the Service drop-down, select Enterprise, and then add the following actions.
    • enterprise.enterprise.attach-config-rules
    • enterprise.enterprise.detach-config-rules
    • enterprise.enterprise.update-config-rules
    • enterprise.account-group.attach-config-rules
    • enterprise.account-group.detach-config-rules
    • enterprise.account-group.update-config-rules
    • enterprise.account.attach-config-rules
    • enterprise.account.detach-config-rules
    • enterprise.account.update-config-rules
    • enterprise.account.retrieve
    • enterprise.account-group.retrieve
    • enterprise.enterprise.retrieve
    • global-search-tagging.resource.read
  4. Review your selections to ensure that you added the correct permissions and click Create.
  5. Assign that role to the user or group that needs access to Security and Compliance Center.

Assigning access to a scope or subscope

To allow for certain users of your account to view results without having access to the rest of your Security and Compliance Center instance, you must assign the following policies for the scope or subscope that you want to provide access to.

  1. Get your scope or subscope ID from the Security and Compliance Center UI.

  2. Navigate to the IAM UI.

    1. Click Manage > Access (IAM) > Users, and select the user that you want to provide access to.

      Be sure to start from the Access groups tab if you're working with a group.

    2. Click Access > Assign access.

  3. Give your user or access group permission to view Security and Compliance Center instances.

    1. Select Security and Compliance Center and then click Next.
    2. For resources, select All or provide the ID for a specific instance of the service.
    3. For permissions, select InstanceViewer.
    4. Click Add.

  4. Give your user or access group permission to read results for a specific scope or subscope.

    1. Select Security and Compliance Center, and then click Next.
    2. Select Specific resources. Then, select either Scope ID or Subscope ID.
    3. Input the ID that you copied in step 1 as the Value. Then, click Next.
    4. For permissions, select Reader. Then, click Next.
    5. Click Add.

  5. Review your selections in the side panel.

  6. Click Assign.

Assigning access to Satellite

To evaluate the resources that run on Satellite, you must create a service-to-service authorization between Security and Compliance Center and Satellite. To create a new authorization through the IAM UI, you can use the following steps.

  1. In the IBM Cloud console, go to Manage > Access (IAM) > Authorizations.
  2. Click Create.
  3. Select Security and Compliance Center from the Source service drop-down.
  4. Leave All resources selected.
  5. Select Satellite from the Target service drop-down.
  6. Leave All resources selected.
  7. Check Viewer to provide the required access.
  8. Click Authorize.