Netskope Help

Custom role permissions for GCP CSA

When setting up GCP for CSA, Netskope requires certain permissions. To set these permissions, Netskope provides you the following two options.

  • Select the following inbuild roles,

    • Project > Browser

    • IAM > Security Reviewer

    • BigQuery > BigQuery Metadata Viewer

    • Organization Policy > Organization Policy Viewer

    Or,

  • Select the two inbuilt roles, Project > Browser and Organization Policy > Organization Policy Viewer. Then create a custom role with the permissions, compute.projects.get and compute.regions.list. Depending on the GCP service, you can provide additional permissions to the custom role.

    The following table provides a mapping of GCP service to custom role permissions.

    GCP service

    Permission required

    Purpose

    Compute Image

    compute.images.list

    Retrieves the list

    of custom images available to the specified project.

    DNS Managed zone

    dns.managedZoneOperations.list

    Enumerates Operations for a given ManagedZone.

    dns.managedZones.list

    View the list of all your managed zones

    dns.resourceRecordSets.list

    Enumerates ResourceRecordSets that you have created but not yet deleted.

    Kubernetes Cluster

    container.clusterRoleBindings.list

    List the role bindings of a kubernetes cluster.

    container.clusterRoles.list

    List the roles of a kubernetes cluster

    container.clusters.list

    List existing clusters for running containers

    Service Account

    iam.serviceAccounts.get

    Get a service account

    iam.serviceAccounts.getIamPolicy

    Get the IAM policy for a service account

    iam.serviceAccountKeys.list

    Lists every ServiceAccountKey for a service account.

    iam.serviceAccounts.list

    List every service account

    VPC

    compute.networks.list

    List Google Compute Engine networks

    Compute Instance

    compute.zones.list

    List Google Compute Engine zones

    compute.instances.list

    List Google Compute Engine instances

    Firewall

    compute.firewalls.list

    Retrieves the list of firewall rules available to the specified project

    IAM Policy

    NA

    NA

    Log Metric

    logging.logMetrics.list

    Lists logs-based metrics.

    monitoring.alertPolicies.list

    Lists the existing alerting policies for the workspace.

    Roles

    iam.roles.list

    List the roles defined at a parent organization or a project

    SQL Instance

    cloudsql.instances.list

    Lists Cloud SQL instances in a given project

    cloudsql.users.list

    Lists Cloud SQL users in a given instance

    Access Policy

    accesscontextmanager.accessLevels.list (custom role at org level)

    List all access levels

    accesscontextmanager.accessPolicies.list (custom role at org level)

    List all AccessPolicies under a container.

    accesscontextmanager.servicePerimeters.list (custom role at org level)

    List all Service Perimeters for an access policy.

    Storage

    storage.buckets.getIamPolicy

    Returns an Identity and Access Management (IAM) policy for the specified bucket.

    storage.buckets.list

    Retrieves a list of buckets for a given project

    ForwardingRules

    compute.regions.get

    Returns the specified Region resource

    compute.globalAddresses.get

    Returns the specified address resource

    compute.addresses.get

    Returns the specified address resource

    compute.forwardingRules.list

    List Google Compute Engine forwarding rules

    IAM Policy User

    NA

    NA

    Logging Sinks

    logging.sinks.list

    Lists the defined sinks

    Route

    compute.routes.list

    List non-dynamic Google Compute Engine routes

    Subnetwork

    compute.subnetworks.list

    Retrieves a list of subnetworks available to the specified project.

    Alert Policy

    monitoring.alertPolicies.list

    Lists the existing alerting policies for the workspace.

    Disks

    compute.disks.list

    List Google Compute Engine disks

    compute.zones.list

    Retrieves the list of Zone resources available to the specified project.

    DataprocCluster

    dataproc.clusters.list

    View a list of clusters in a project

    CloudFunction

    cloudfunctions.functions.list

    List the CloudFunctions of a specified project

    cloudfunctions.locations.list

    List the location of a specified CloudFunction

    KMS

    cloudkms.cryptoKeyVersions.list

    Lists CryptoKeyVersions.

    cloudkms.cryptoKeys.list

    Lists CryptoKeys.

    cloudkms.keyRings.list

    Lists KeyRings.

    Organization

    NA

    NA

    API Services

    serviceusage.services.list

    List all services available to the specified project, and the current state of those services with respect to the project

    Bigquery Datasets

    bigquery.datasets.get

    Returns the dataset specified by datasetID.