Stay organized with collectionsSave and categorize content based on your preferences.
Add SIEM or SOAR users to Google SecOps
Supported in:
Google secops
This document is for Google Security Operations admins who want to grant permission to specific users
to use only the SIEM features in Google SecOps (such as investigating raw data)
or only the SOAR features of Google SecOps (such as managing cases).
Due to the nature of the Google SecOps platform, both sets of users
need minimal permissions from both the SIEM and SOAR sides
before they can sign in to the platform.
Before you begin
These procedures are based on the assumption that you have already onboarded
to the Google SecOps platform, enabled the Chronicle API, and started
working with IAM permissions. The following procedures may vary slightly,
depending on whether you configured aCloud Identity provideror athird-party identity provider.
Define either apredefined roleor acustom role.
The custom role must contain the following minimum permissions:
chronicle.instances.get
chronicle.preferenceSets.get.
If you're using the Cloud Identity Provider, mapuser email groupsinto theemail group mapping page.
If you're using a third-party identity provider, mapIdP groupsinto theIdP group mapping page.
You can choose the control access parameters that meet your needs.
For more information see,control access parameters.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis document guides Google Security Operations admins on granting specific users access to either SIEM or SOAR features within the Google SecOps platform.\u003c/p\u003e\n"],["\u003cp\u003eUsers granted SIEM-only access should be mapped to a predefined or custom role with SIEM permissions, and their access should be configured in the IdP group mapping page, setting License Type to Standard, Landing Page to SIEM Search, enabling the Homepage toggle, and selecting the SIEM only SOC role.\u003c/p\u003e\n"],["\u003cp\u003eUsers with SOAR-only permissions also require a predefined or custom role with a minimum set of specific permissions, and they are mapped through the IdP group mapping page, where control access parameters can be customized.\u003c/p\u003e\n"],["\u003cp\u003eBoth SIEM and SOAR only user groups will require minimal permissions from both features to login.\u003c/p\u003e\n"],["\u003cp\u003eThe setup procedures differ slightly based on whether a Cloud Identity provider or a third-party identity provider is configured for authentication.\u003c/p\u003e\n"]]],[],null,["# Add SIEM or SOAR users to Google SecOps\n=======================================\n\nSupported in: \nGoogle secops\n\nThis document is for Google Security Operations admins who want to grant permission to specific users\nto use only the SIEM features in Google SecOps (such as investigating raw data)\nor only the SOAR features of Google SecOps (such as managing cases).\nDue to the nature of the Google SecOps platform, both sets of users\nneed minimal permissions from both the SIEM and SOAR sides\nbefore they can sign in to the platform.\n\nBefore you begin\n----------------\n\nThese procedures are based on the assumption that you have already onboarded\nto the Google SecOps platform, enabled the Chronicle API, and started\nworking with IAM permissions. The following procedures may vary slightly,\ndepending on whether you configured a [Cloud Identity provider](/chronicle/docs/onboard/configure-cloud-authentication)\nor a [third-party identity provider](/chronicle/docs/onboard/configure-authentication).\n\nSet up users with SIEM only permissions\n---------------------------------------\n\n\u003cbr /\u003e\n\n1. Define either a [predefined role](/chronicle/docs/onboard/configure-cloud-authentication) or a [custom role](/chronicle/docs/onboard/configure-feature-access#custom-role) with the relevant SIEM permissions:\n - If you're using the Cloud Identity Provider, map **user email groups** on the [email group mapping page](/chronicle/docs/soar/admin-tasks/user-secops/map-users-in-the-secops-platform-first-party).\n - If you're using a third-party identity provider, map **IdP groups** on the [IdP group mapping page](/chronicle/docs/soar/admin-tasks/user-secops/map-users-in-the-secops-platform).\n2. On either page, map the **IdP groups** or **email groups** to the minimal control access parameters, as follows:\n - **Permission groups** :\n - Set the license type to **Standard**.\n - Set the landing page to **SIEM Search**.\n - Under **Read/Write** Permissions, click the **Homepage** toggle.\n - **SOC roles** : Select **SIEM only** . You need to create the SIEM SOC role first by [adding it as a new SOC role](/chronicle/docs/soar/admin-tasks/permissions/working-with-roles).\n - Environments: Select **Default**.\n\nSet up users with SOAR-only permissions\n---------------------------------------\n\n1. Define either a [predefined role](/chronicle/docs/onboard/configure-feature-access) or a [custom role](/chronicle/docs/onboard/configure-feature-access#custom-role). The custom role must contain the following minimum permissions:\n - **chronicle.instances.get**\n - **chronicle.preferenceSets.get**.\n2. If you're using the Cloud Identity Provider, map **user email groups** into the [email group mapping page](/chronicle/docs/soar/admin-tasks/user-secops/map-users-in-the-secops-platform-first-party).\n3. If you're using a third-party identity provider, map **IdP groups** into the [IdP group mapping page](/chronicle/docs/soar/admin-tasks/user-secops/map-users-in-the-secops-platform). You can choose the control access parameters that meet your needs. For more information see, [control access parameters](/chronicle/docs/soar/admin-tasks/advanced/control-access-to-platform).\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
