Permission Analysis Result
permission_analysis_result
The Permission Analysis object describes analysis results of permissions, policies directly associated with an identity (user, role, or service account). This evaluates what permissions an identity has been granted through attached policies, which privileges are actively used versus unused, and identifies potential over-privileged access. Use this for identity-centric security assessments such as privilege audits, dormant permission discovery, and least-privilege compliance analysis.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Condition Keys | condition_keys |
Key:Value object[] |
The condition keys and their values that were evaluated during policy analysis, including contextual constraints that affect permission grants. These conditions define when and how permissions are applied. Examples: aws:SourceIp:1.2.3.4, aws:RequestedRegion:us-east-1.
|
| Granted Privileges | granted_privileges |
String[] |
The specific privileges, actions, or permissions that are explicitly granted by the analyzed policy. Examples: AWS actions like s3:GetObject, ec2:RunInstances, iam:CreateUser; Azure actions like Microsoft.Storage/storageAccounts/read; or GCP permissions like storage.objects.get.
|
| Policy | policy |
Policy[] | Detailed information about the policy document that was analyzed, including policy metadata, version, type (identity-based, resource-based, etc.), and structural details. This provides context for understanding the scope and nature of the permission analysis. |
| Raw Data | raw_data |
JSON |
Group:contextThe event data as received from the event source. |
| Record ID | record_id |
String |
Group:primaryUnique identifier for the object |
| Unmapped | unmapped |
Unmapped[] | Data from the source that was not mapped into the schema. |
| Unused Privileges Count | unused_privileges_count |
Integer | The total count of privileges or actions defined in the policy that have not been utilized within the analysis timeframe. This metric helps identify over-privileged access and opportunities for privilege reduction to follow the principle of least privilege. High counts may indicate policy bloat or excessive permissions. |
| Unused Services Count | unused_services_count |
Integer | The total count of cloud services or resource types referenced in the policy that have not been accessed or utilized within the analysis timeframe. This helps identify unused service permissions that could be removed to reduce attack surface. Examples: AWS services like S3, SQS, IAM, Lambda; Azure services like Storage, Compute, KeyVault; or GCP services like Cloud Storage, Compute Engine, BigQuery. |
Relationships
Inbound Relationships
These objects and events reference Permission Analysis Result in their attributes:
Outbound Relationships
Permission Analysis Result references the following objects and events in its attributes:
This page describes qdm-1.5.1+ocsf-1.6.0
Updated about 7 hours ago