Migrate from legacy RBAC to feature RBAC

Supported in:

This document explains how to migrate your existing Google SecOps instance from legacy RBAC to feature RBAC using Google Cloud IAM.

Prerequisite: Your Google SecOps instance has been migrated to your Google Cloud project and has been set up using Google Cloud authentication.

You can use auto-generated commands to migrate legacy RBAC roles and permissions to Google Cloud IAM. Google SecOps creates these commands using your pre-migration feature RBAC access control configuration. When run, they create new IAM policies equivalent to your existing configuration, as defined in Google SecOps on the SIEM Settings > Users and Groups page.

After you run these commands, you can't revert to the previous feature RBAC access control feature. If you encounter an issue, contact Google SecOps Technical Support.

  1. In the Google Cloud console, go to the Security > Google SecOps > Access management tab.
  2. Under Migrate role bindings, you see a set of auto-generated Google Cloud CLI commands.
  3. Review and verify that the commands create the expected permissions. For information about Google SecOps roles and permissions, see How IAM permissions map to each feature RBAC role.
  4. Launch a Cloud Shell session.
  5. Copy the auto-generated commands, and then paste and run them in the gcloud CLI.
  6. After you execute all commands, click Verify access. If successful, you see the message Access verified on the Google SecOps Access management page. Otherwise, you see the message Access denied. This message might take 1-2 minutes to appear.
  7. To complete the migration, return to the Security > Google SecOps > Access management tab, and then click Enable IAM.
  8. Verify that you can access Google SecOps as a user with the Chronicle API Admin role:
    1. Sign in to Google SecOps as a user with the Chronicle API Admin predefined role. For more information, see Sign in to Google SecOps.
    2. Open the SIEM Settings > Users and Groups page. You should see the following message: To manage users and groups, go to Identity Access Management (IAM) in the Google Cloud console. Learn more about managing users and groups.
  9. Sign in to Google SecOps as a user with a different role. For more information, see Sign in to Google SecOps.
  10. Verify that the available features in the application match the permissions defined in IAM.

Need more help? Get answers from Community members and Google SecOps professionals.