Role Details

The Role Details page provides a comprehensive view of cloud IAM roles, application roles, and permission sets discovered by Hydden. This page displays role assignment details, including both direct and inherited assignments, along with authentication activity for all accounts with the role. Role Details pages are essential for cloud access reviews, least privilege analysis, and understanding role-based access control (RBAC) implementations.

Overview

Role Details pages provide critical information for understanding cloud permissions and role-based authorization:

• Role Attributes: Name, description, platform, data source, provider
• Assignment Counts: Direct role count vs. expanded (inherited) role count
• Member Inventory: Complete list of accounts assigned this role
• Assignment Type: Direct assignment vs. inherited from groups or nested roles
• Activity Tracking: Login history for all accounts with the role
• Permission Analysis: Understanding the permissions granted by this role

This page type is crucial for cloud IAM audits, compliance reviews, and least privilege verification, particularly for highly privileged roles like Owner, Contributor, Administrator, or custom administrative roles in Azure, AWS, GCP, and other cloud platforms.

Key Concepts

Role vs. Group

Understanding the difference between roles and groups is essential:

Aspect	Roles	Groups
Purpose	Define permissions and access levels	Define collections of users
Platform	Primarily cloud platforms (Azure, AWS, GCP)	On-premises and cloud directories
Assignment	Roles are assigned to accounts or groups	Accounts are members of groups
Permissions	Roles grant specific permissions	Groups may be assigned roles
Examples	Azure Global Administrator, AWS AdministratorAccess, GCP Owner	Active Directory groups, Azure AD security groups

Key Difference: Roles define what you can do (permissions), while groups define who you are with (membership).

Cloud Role Types

Roles are categorized based on their scope and platform:

Role Type	Description	Common Examples
Built-in Admin	Pre-defined roles with broad administrative permissions	Azure Global Administrator, AWS AdministratorAccess, GCP Owner
Built-in Privileged	Pre-defined roles with elevated but scoped permissions	Azure Security Administrator, AWS PowerUserAccess, GCP Editor
Built-in Standard	Pre-defined roles for common tasks	Azure Reader, AWS ReadOnlyAccess, GCP Viewer
Custom	Organization-defined roles with specific permissions	Custom developer role, custom auditor role
Application	Application-specific roles	Salesforce Admin, Workday Security Administrator

Direct vs. Expanded Role Count

Understanding assignment types is critical for accurate access reviews:

Direct Role Count:

• Accounts explicitly assigned this role
• Direct role-to-account assignment
• Visible as Direct Role Count on the Role Details page

Expanded Role Count (Inherited Assignments):

• Accounts that inherit this role through group membership or nested roles
• Includes direct assignments plus inherited assignments
• Visible as Expanded Role Count (also called Total Role Count)

Example:

Role: Azure Contributor (Subscription Level)
├─ Direct Assignments: alice@company.com, bob@company.com (Direct Role Count = 2)
└─ Assigned to Group: "Cloud Platform Team"
   └─ Members: charlie@company.com, dana@company.com

Total Expanded Role Count = 4 (2 direct + 2 inherited via group)

Privileged Roles

Roles with elevated permissions are flagged as privileged:

• Highly Privileged Roles: Roles with administrative access across the entire platform or tenant
• Risk Indicator: Assignment of privileged roles contributes to account threat scores
• Common Privileged Roles:
  • Azure: Global Administrator, Privileged Role Administrator, Security Administrator
  • AWS: AdministratorAccess, SecurityAudit, IAMFullAccess
  • GCP: Owner, Security Admin, Organization Administrator
  • Okta: Super Administrator, Application Administrator

For more information on privilege detection, see Threat Detection Rules.

Role Scope

Cloud roles operate at different scopes:

Azure Scope Levels:

• Management Group: Applies to multiple subscriptions
• Subscription: Applies to all resources in a subscription
• Resource Group: Applies to resources within a resource group
• Resource: Applies to a specific resource

AWS Scope:

• Account-wide: Applies to the entire AWS account
• Service-specific: Scoped to specific AWS services

GCP Scope:

• Organization: Applies to the entire organization
• Folder: Applies to folders within the organization
• Project: Applies to specific projects

Broader scopes (Management Group, Organization) grant more extensive access than narrower scopes (Resource, Project).

---

Data Tiles

The Role Details page displays information tiles with key role attributes:

Role Information Tile

Field	Description
Role Name	Role name as used in the role provider
Role Description	Description of the role's purpose and permissions (if available)
Platform	System platform where the role was discovered (Azure, AWS, GCP, Okta, etc.)
Data Source Name	Collector module that retrieved the role data
Domain	Cloud tenant or account identifier
Provider	Role provider (Azure, AWS, GCP, Okta, etc.)
Role Type	Built-in or Custom
Scope	Role scope (Subscription, Resource Group, Account, Project, etc.)
Is Privileged	Privilege level indicator (if applicable)

Membership Information Tile

Field	Description
Direct Role Count	Number of accounts with this specific role assignment
Expanded Role Count	Total assignments including direct plus inherited via groups

The difference between Direct Role Count and Expanded Role Count reveals the extent of role inheritance through groups. Large discrepancies indicate significant group-based role assignment that should be reviewed.

---

Data Tabs

Role Membership Tab

Complete inventory of all accounts assigned this role, showing both direct and inherited assignments.

Default Columns:

Column	Description
Account Name	Name of the account with this role assignment
Display Name	Friendly display name of the account
Platform	Account platform
Data Source	Data source where account was discovered
Assignment Type	Direct (explicitly assigned) or Expanded (inherited via group)
Assignment Scope	Scope of the role assignment (Subscription, Resource Group, Project, etc.)
Account Type	User, Service, Federated, etc.
Status	Account status (Enabled, Disabled, Locked, Expired)
Last Logon	Most recent successful authentication
Is Privileged	Privilege level of the account (0-10 scale)

Use Cases:

• Access Review: Verify all accounts should have this role assignment
• Privilege Audit: Identify who has privileged access via this role
• Inheritance Analysis: Filter by Assignment Type to see inherited assignments
• Inactive Assignment Identification: Sort by Last Logon to find dormant accounts with the role
• Compliance Auditing: Generate evidence for cloud access certification
• Least Privilege Review: Identify accounts that may have excessive permissions
• Cleanup Planning: Identify role assignments for removal

Filtering and Analysis:

• Filter by Assignment Type = Direct: See only explicitly assigned accounts
• Filter by Assignment Type = Expanded: See only inherited assignments (via groups)
• Filter by Status = Disabled: Find accounts that should have role removed
• Sort by Last Logon (oldest first): Identify stale role assignments
• Filter by Is Privileged > 5: Focus on high-privilege accounts with this role
• Filter by Assignment Scope: Focus on specific scopes (e.g., production subscriptions)

Actions:

• Click any account to open Account Details
• Export role assignment list for access review documentation
• Use Action button to request access reviews or generate compliance reports

Login History Tab

Authentication activity for all accounts with this role assignment (direct and inherited), providing visibility into role usage patterns.

Default Columns:

Column	Description
Login Date/Time	Timestamp of authentication event
Account Name	Account that authenticated
Platform	System where authentication occurred
Login Status	Success or Failed
Assignment Type	Direct or Expanded (shows how the account has this role)
Source IP Address	IP address of login attempt (if available)
Login Type	Interactive, Network, Service, etc.
Geolocation	Geographic location of login (if available)

Use Cases:

• Activity Verification: Confirm accounts with this role are actively using their access
• Dormant Assignment Detection: Identify accounts with no recent logins (candidates for role removal)
• Security Investigations: Investigate suspicious authentication patterns for role holders
• Compliance Auditing: Document role usage for audit trails
• Pattern Analysis: Understand how role-based access is being used (interactive vs. service accounts)
• Least Privilege Validation: Identify unused role assignments for removal

Analysis Tips:

• Sort by Login Date/Time (oldest first): Find accounts with no recent activity
• Filter by Login Status = Failed: Identify potential security issues
• Filter by Assignment Type: Separate direct assignment activity from inherited activity
• Group by Account Name: See activity per role holder
• Look for anomalies: Unusual login times, locations, or frequencies for this role

Example Insights:

• No logins in 90+ days: Account may not need this role (candidate for removal)
• Service account with interactive logins: Potential security concern (service accounts should use non-interactive auth)
• Failed login spikes: Possible brute force attempt or compromised credentials
• Unusual geolocation: Access from unexpected locations for this role

---

Share via Action

On tenants with the Integrate Action Providers and Workflows feature enabled, the Action button provides workflow automation options.

Available Actions

Email Notification:

• Send role assignment list to cloud administrators or managers
• Alert security team about privileged role changes
• Request access review for role assignments
• Escalate security findings for high-risk roles
• Notify stakeholders of role assignment changes

Create Ticket:

• Generate ServiceNow incident/request tickets for access reviews
• Create JIRA issues for role assignment cleanup
• Automated ticketing for policy violations (e.g., overprivileged accounts)
• Track cloud access certification workflows
• Document access review completion

Custom Workflows:

• Execute organization-specific automation
• Trigger integration with cloud governance platforms
• Initiate role removal workflows for inactive assignments
• Custom compliance reporting
• Automated least privilege analysis

---

Common Workflows

Privileged Role Access Review

1. Navigate to Role Details for privileged role (e.g., Azure Global Administrator)
2. Review Membership Information Tile to understand direct vs. expanded assignments
3. Open Role Membership Tab to see all accounts with this role
4. Filter by Assignment Type = Expanded to identify group-inherited assignments
5. Sort by Last Logon to identify inactive accounts with the role
6. Verify business justification for each assignment
7. Check Login History Tab to confirm role holders are using their access
8. Assess scope appropriateness (e.g., should role be scoped more narrowly?)
9. Document findings for compliance
10. Use Action button to request removal of inappropriate assignments
11. Schedule follow-up review (quarterly for highly privileged roles)

Least Privilege Analysis

1. Open Role Details for the target role
2. Review role permissions (consult cloud provider documentation)
3. Open Role Membership Tab to see all assignments
4. Check Login History Tab to determine actual usage patterns
5. Identify accounts with no recent logins (90+ days)
6. Assess if inactive accounts need this role
7. For active accounts, verify role is necessary for their function
8. Identify accounts with multiple privileged roles (potential over-privileged)
9. Recommend role removal for inactive or unnecessary assignments
10. Suggest narrower-scoped roles where appropriate
11. Document least privilege recommendations

Role Inheritance Investigation

1. Open Role Details for the role
2. Note the difference between Direct Role Count and Expanded Role Count
3. Open Role Membership Tab
4. Filter by Assignment Type = Expanded to see inherited assignments
5. For each expanded assignment, identify the group providing the role
6. Assess whether group-based assignment is appropriate or creates security risks
7. Check for privilege creep: Did group members get more access than intended?
8. Verify group membership is appropriate for role assignment
9. Document role inheritance relationships for governance
10. Recommend direct assignment if group-based assignment is inappropriate

Compliance Audit (Cloud Role-Level)

1. Select high-value or regulated cloud roles for audit
2. Review Role Membership Tab for all assignments
3. Export role assignment list for auditor review
4. Verify separation of duties (no conflicting role assignments)
5. Check for terminated employees (filter by account status)
6. Review Login History for usage evidence
7. Verify privileged role justification for each assignment
8. Check assignment scope appropriateness (e.g., subscription vs. resource)
9. Document review completion with timestamps and findings
10. Store evidence for compliance records
11. Schedule next review cycle per compliance requirements

---

Understanding Role Assignments

Assignment Type Indicator

The Assignment Type column in the Role Membership Tab shows how accounts received the role:

Assignment Type	Description	Assignment Method
Direct	Role explicitly assigned to the account	Direct role-to-account assignment
Expanded	Role inherited via group membership or nested role	Group or role inheritance

Why This Matters:

• Access reviews: You need to know where access comes from to remove it properly
• Privilege analysis: Group-based role assignment can create hidden privilege escalation
• Compliance: Auditors require understanding of all role assignment paths
• Cleanup: Removing a group's role assignment affects all its members' expanded assignments

Role Scope and Impact

Role scope determines the extent of permissions granted:

Azure Example:

Role: Contributor
├─ Scope: Management Group "Production" → Very broad access to all subscriptions
├─ Scope: Subscription "Prod-App-01" → Moderate access to one subscription
└─ Scope: Resource Group "web-servers" → Narrow access to specific resources

Best Practice: Assign roles at the narrowest scope necessary (principle of least privilege).

Privileged Role Identification

Roles are identified as privileged based on:

• Built-in administrative roles: Global Administrator, Owner, AdministratorAccess
• Security-related roles: Security Administrator, SecurityAudit
• IAM management roles: User Administrator, IAM Admin
• Custom administrative roles: Organization-defined admin roles

Assignment of privileged roles contributes to account threat scores via threat detection rules.

Service Principals and Service Accounts

Cloud platforms often use service principals or service accounts with role assignments:

• Azure: Service principals for application authentication
• AWS: IAM users and roles for service accounts
• GCP: Service accounts for application identities

Security Consideration: Service accounts with privileged roles should be carefully monitored and follow least privilege principles.

---

Troubleshooting

Issue	Solution
Direct Role Count doesn't match expected number	Verify role sync from data source; check collector permissions; review last collection timestamp for cloud platform
Expanded Role Count missing or incorrect	Ensure group-based role assignment tracking is enabled; verify collector configuration for cloud platform
Missing assignments in Role Membership Tab	Verify account discovery is complete for cloud platform; check if accounts are disabled/deleted; verify role assignment collection
Login history incomplete	Ensure authentication logging is enabled on cloud platform; verify collector configuration for sign-in logs; check date range filters
Role inheritance not resolved	Verify collector has permission to read group memberships; check for role assignment at group level; review role expansion settings
Privileged flag missing	Review threat detection rules for privilege identification; verify role name matching patterns; check if role is custom
Assignment Type always shows as Direct	Check if collector supports group-based role assignment tracking; verify role inheritance data is being collected
Role scope information missing	Verify collector is configured to collect role scope details; check cloud platform permissions for role management API access

---

Related Topics

• Entity Details Overview - Overview of all entity detail pages
• Account Details - Individual account-level view
• Owner Details - Identity-level aggregated view
• Group Details - Group membership details
• Global Search - Search interface
• Global Search Default Columns - Column reference
• Threat Detection - Understanding threat rules and privilege detection
• Data Sources - Cloud platform connectors and role collection
• Azure Data Source - Azure AD and Azure role collection
• AWS Data Source - AWS IAM role collection
• GCP Data Source - GCP IAM role collection
• Automation Workflows - Action workflows and triggers