Custom role permissions for GCP CSA

Custom role permissions for GCP CSA

When setting up GCP for CSA, Netskope requires certain permissions. To set these permissions, Netskope provides you the following two options.

  • Select the following inbuild roles,
    • Project > Browser
    • IAM > Security Reviewer
    • BigQuery > BigQuery Metadata Viewer
    • Organization Policy > Organization Policy Viewer

    Or,

  • Select the two inbuilt roles, Project > Browser and Organization Policy > Organization Policy Viewer. Then create a custom role with the permissions, compute.projects.get and compute.regions.list. Depending on the GCP service, you can provide additional permissions to the custom role.

    The following table provides a mapping of GCP service to custom role permissions.

    GCP servicePermission requiredPurpose
    Compute Imagecompute.images.listRetrieves the list

    of custom images available to the specified project.

    DNS Managed zonedns.managedZoneOperations.listEnumerates Operations for a given ManagedZone.
    dns.managedZones.listView the list of all your managed zones
    dns.resourceRecordSets.listEnumerates ResourceRecordSets that you have created but not yet deleted.
    Kubernetes Clustercontainer.clusterRoleBindings.listList the role bindings of a kubernetes cluster.
    container.clusterRoles.listList the roles of a kubernetes cluster
    container.clusters.listList existing clusters for running containers
    Service Accountiam.serviceAccounts.getGet a service account
    iam.serviceAccounts.getIamPolicyGet the IAM policy for a service account
    iam.serviceAccountKeys.listLists every ServiceAccountKey for a service account.
    iam.serviceAccounts.listList every service account
    VPCcompute.networks.listList Google Compute Engine networks
    Compute Instancecompute.zones.listList Google Compute Engine zones
    compute.instances.listList Google Compute Engine instances
    Firewallcompute.firewalls.listRetrieves the list of firewall rules available to the specified project
    IAM PolicyNANA
    Log Metriclogging.logMetrics.listLists logs-based metrics.
    monitoring.alertPolicies.listLists the existing alerting policies for the workspace.
    Rolesiam.roles.listList the roles defined at a parent organization or a project
    SQL Instancecloudsql.instances.listLists Cloud SQL instances in a given project
    cloudsql.users.listLists Cloud SQL users in a given instance
    Access Policyaccesscontextmanager.accessLevels.list (custom role at org level)List all access levels
    accesscontextmanager.accessPolicies.list (custom role at org level)List all AccessPolicies under a container.
    accesscontextmanager.servicePerimeters.list (custom role at org level)List all Service Perimeters for an access policy.
    Storagestorage.buckets.getIamPolicyReturns an Identity and Access Management (IAM) policy for the specified bucket.
    storage.buckets.listRetrieves a list of buckets for a given project
    ForwardingRulescompute.regions.getReturns the specified Region resource
    compute.globalAddresses.getReturns the specified address resource
    compute.addresses.getReturns the specified address resource
    compute.forwardingRules.listList Google Compute Engine forwarding rules
    IAM Policy UserNANA
    Logging Sinkslogging.sinks.listLists the defined sinks
    Routecompute.routes.listList non-dynamic Google Compute Engine routes
    Subnetworkcompute.subnetworks.listRetrieves a list of subnetworks available to the specified project.
    Alert Policymonitoring.alertPolicies.listLists the existing alerting policies for the workspace.
    Diskscompute.disks.listList Google Compute Engine disks
    compute.zones.listRetrieves the list of Zone resources available to the specified project.
    DataprocClusterdataproc.clusters.listView a list of clusters in a project
    CloudFunctioncloudfunctions.functions.listList the CloudFunctions of a specified project
    cloudfunctions.locations.listList the location of a specified CloudFunction
    KMScloudkms.cryptoKeyVersions.listLists CryptoKeyVersions.
    cloudkms.cryptoKeys.listLists CryptoKeys.
    cloudkms.keyRings.listLists KeyRings.
    OrganizationNANA
    API Servicesserviceusage.services.listList all services available to the specified project, and the current state of those services with respect to the project
    Bigquery Datasetsbigquery.datasets.getReturns the dataset specified by datasetID.
Share this Doc

Custom role permissions for GCP CSA

Or copy link

In this topic ...