You can use Cloud Identity, Google Workspace, or a third-party identity
provider (such as Okta or Azure AD) to manage users, groups, and authentication.
This page describes how to use Cloud Identity or Google Workspace.
When using Cloud Identity or Google Workspace, you create managed user accounts
to control access to Google Cloud resources and to Google SecOps.
You create IAM policies that define which users and groups have access
to Google SecOps features. These IAM policies
are defined using predefined roles and permissions provided by Google SecOps
or custom roles that you create.
As part of linking a Google SecOps instance to Google Cloud
services, configure a connection to a Google Cloud IdP. The
Google SecOps instance integrates directly with Cloud Identity
or Google Workspace to authenticate users and enforce access control based on
your configured IAM policies.
SeeIdentities for usersfor detailed information about creating Cloud Identity or Google Workspace accounts.
Grant a role to enable sign-in to Google SecOps
The following steps describe how to grant a specific role using IAM
so that a user can sign in to Google SecOps. Perform the configuration using
the Google SecOps-bound Google Cloud project you created earlier.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eGoogle Security Operations integrates with Cloud Identity or Google Workspace to manage user authentication and access.\u003c/p\u003e\n"],["\u003cp\u003eIAM policies are used to define which users and groups can access specific Google Security Operations features using predefined or custom roles.\u003c/p\u003e\n"],["\u003cp\u003eTo enable users to sign in to Google Security Operations, grant them the Chronicle API Viewer role using the \u003ccode\u003egcloud\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eAfter setting up user authentication, you must link the Google Security Operations instance to Google Cloud services for it to work.\u003c/p\u003e\n"],["\u003cp\u003eThis process does not configure authorization for Google Security Operation features, that is handled by IAM for feature access control.\u003c/p\u003e\n"]]],[],null,["# Configure a Google Cloud identity provider\n==========================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nYou can use Cloud Identity, Google Workspace, or a third-party identity\nprovider (such as Okta or Azure AD) to manage users, groups, and authentication.\n\nThis page describes how to use Cloud Identity or Google Workspace.\n\nWhen using Cloud Identity or Google Workspace, you create managed user accounts\nto control access to Google Cloud resources and to Google SecOps.\n\nYou create IAM policies that define which users and groups have access\nto Google SecOps features. These IAM policies\nare defined using predefined roles and permissions provided by Google SecOps\nor custom roles that you create.\n\nAs part of linking a Google SecOps instance to Google Cloud\nservices, configure a connection to a Google Cloud IdP. The\nGoogle SecOps instance integrates directly with Cloud Identity\nor Google Workspace to authenticate users and enforce access control based on\nyour configured IAM policies.\n\nSee [Identities for users](/iam/docs/user-identities#google-accounts)\nfor detailed information about creating Cloud Identity or Google Workspace accounts.\n\nGrant a role to enable sign-in to Google SecOps\n-----------------------------------------------\n\nThe following steps describe how to grant a specific role using IAM\nso that a user can sign in to Google SecOps. Perform the configuration using\nthe Google SecOps-bound Google Cloud project you created earlier.\n\n1. Grant the [Chronicle API Viewer (`roles/chronicle.viewer`)](/iam/docs/understanding-roles#chronicle.viewer)\n role to users or groups that should have access to the Google Security Operations application.\n\n | **Note:** The following examples use the `gcloud` command. To use the Google Cloud console, see [Grant a single role](/iam/docs/granting-changing-revoking-access#grant-single-role).\n | **Important:** The following examples don't configure authorization to Google SecOps features. This is done using IAM for feature access control.\n - The following example grants the Chronicle API Viewer role to to a specific group:\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --role roles/chronicle.viewer \\\n --member \"group:\u003cvar translate=\"no\"\u003eGROUP_EMAIL\u003c/var\u003e\"\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: with the project ID of the Google Security Operations-bound project you configured in [Configure a Google Cloud project for Google Security Operations](/chronicle/docs/onboard/configure-cloud-project). See [Creating and managing projects](/resource-manager/docs/creating-managing-projects) for a description of fields that identify a project.\n - \u003cvar translate=\"no\"\u003eGROUP_EMAIL\u003c/var\u003e: the email alias for the group, such as `analyst-t1@example.com`.\n - To grant the Chronicle API Viewer role to a specific user, run the following command:\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --role roles/chronicle.viewer \\\n --member \"principal:\u003cvar translate=\"no\"\u003eUSER_EMAIL\u003c/var\u003e\"\n\n Replace \u003cvar translate=\"no\"\u003eUSER_EMAIL\u003c/var\u003e: the user's user email address, such as `alice@example.com`.\n - For examples of how to grant roles to other members, such as a group or\n domain, see\n [gcloud projects add-iam-policy-binding](/sdk/gcloud/reference/projects/add-iam-policy-binding)\n and [Principal identifiers](/iam/docs/principal-identifiers) reference\n documentation.\n\n2. Configure additional IAM policies to meet your\n organization's access and security requirements.\n\n| **Note:** Custom IAM role mappings aren't supported for the SOAR side of the Google SecOps platform.\n\nWhat's next\n-----------\n\nAfter completing the steps in this document, perform the following:\n\n- Perform steps to [Link a Google Security Operations instance to Google Cloud services](/chronicle/docs/onboard/link-chronicle-cloud).\n\n- If you have not yet set up audit logging, continue with\n [enabling Google Security Operations audit logging](/chronicle/docs/preview/audit-logging/audit-logging).\n\n- If you are configuring for Google Security Operations, perform additional steps in\n [Provision, authenticate, and map users in Google Security Operations](/chronicle/docs/soar/admin-tasks/user-secops/map-users-in-the-secops-platform).\n\n- To configure access to features, perform additional steps in [Configure feature access control using IAM](/chronicle/docs/onboard/configure-feature-access) and [Google Security Operations permissions in IAM](/chronicle/docs/reference/feature-rbac-permissions-roles).\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
