Frequently Asked Questions

Here are some frequently asked questions about Forseti Security.


Great! Please file an issue if it doesn’t already exist. If you’d like to address the issue, let us know on! We’d love to chat with you about it.

Installation and deployment

You can edit your Forseti deployment script (refer to “Updating Forseti”) or your Forseti configuration file (refer to “Configuring Forseti”).

Setting Forseti up in a separate project ensures that Forseti has the necessary quota for API calls and managing service accounts and roles. This also restricts who has access to your Forseti-related resources.

If Forseti is reading data from only one project, your Forseti service account might have access only to that particular project. To get read access to all of the projects under your organization, add the service account to the organization Cloud IAM policy with the required roles. Your Organization Admin should be able to help you with that.

Using Forseti

We have some starter documentation for defining rules. For more questions, please contact us at

By default, Forseti runs Inventory and Scanner on the top of every hour using a simple cronjob. You can edit the deployment template to change this cron value.

The installation log is stored in /tmp/deployment.log on the Forseti Compute Engine instance.

The Forseti Inventory, Scanner, and Enforcer logs can be found in the Cloud Platform Console, under Stackdriver. Change the first dropdown filter to “GCE VM Instance”, and the second dropdown filter to “syslog”.

You can implement bucket lifecycle rules to delete the output or migrate them to a lower cost class. Alternatively, you may wish to export the output to BigQuery.

Security implications

The Admin API, which performs the G Suite Groups data retrieval, uses methods from an OAuth library which expect the private key to be local to where the code is running. To minimize G Suite service account access, don’t assign any Cloud IAM roles to it and only grant the Groups/Group Members Read-Only scope in G Suite. To learn more, see the Forseti Service Accounts page.

Forseti uses a service account which is granted roles on the organization Cloud IAM policy. Because roles are hierarchical in GCP, if someone has a Cloud IAM role the organization level, the role is inherited by lower levels, like the folder or project. For example, if you grant the “Browser” role to someone on the organization, they will also be able to see folders and projects within the organization.

For more information, please refer to “Service account for Forseti Security”.

We recommend granting only the specific roles that Forseti needs for reading data in GCP. Since there are many types of access that need to be granted for reading certain data, the Forseti service account must be granted those specific roles.