From 4f94c7ad9746817e98b42263ec64dea76d345a0c Mon Sep 17 00:00:00 2001 From: DENGXUELIN <37065511+DENGXUELIN@users.noreply.github.com> Date: Tue, 9 Jun 2026 23:07:58 +0800 Subject: [PATCH] Improve access review effective expansion gates --- skills/identity/access-review/SKILL.md | 71 +++++++++- .../effective_access_expansion_complete.json | 110 ++++++++++++++++ .../direct_grant_only_dynamic_group_gap.json | 124 ++++++++++++++++++ 3 files changed, 302 insertions(+), 3 deletions(-) create mode 100644 skills/identity/access-review/tests/benign/effective_access_expansion_complete.json create mode 100644 skills/identity/access-review/tests/vulnerable/direct_grant_only_dynamic_group_gap.json diff --git a/skills/identity/access-review/SKILL.md b/skills/identity/access-review/SKILL.md index 09309278..59f1bdc5 100644 --- a/skills/identity/access-review/SKILL.md +++ b/skills/identity/access-review/SKILL.md @@ -12,7 +12,7 @@ phase: [operate] frameworks: [CIS-Controls-v8, NIST-SP-800-53-AC] difficulty: intermediate time_estimate: "45-90min" -version: "1.0.0" +version: "1.0.1" author: unitoneai license: MIT allowed-tools: Read, Grep, Glob @@ -159,6 +159,46 @@ AR-CERT-08: Delegated reviews without accountability (certifier delegates but is --- +### Step 2.5: Effective Access Expansion for Nested and Dynamic Groups + +**Objective:** Certify the access a user actually has, not only direct grants exported by the application. + +Direct entitlement exports are incomplete when access flows through IdP groups, nested groups, dynamic group rules, SCIM mappings, external IdP groups, app-local groups, or break-glass activation paths. Build an effective-access graph before certifiers approve or revoke access. + +**What to look for:** + +``` +AR-EFF-01: Certification packet lacks an effective-access path from user to entitlement +AR-EFF-02: Nested group expansion is missing, truncated, circular, or deeper than the documented review limit +AR-EFF-03: Dynamic group rule lacks owner, source attributes, rule expression, last evaluation time, and sample membership evidence +AR-EFF-04: SCIM or external IdP group mapping to application roles is not included in the review +AR-EFF-05: Attribute drift after certification can change dynamic group membership without recertification +AR-EFF-06: Guest, partner, or vendor users inherit access through an external group not visible to the certifier +AR-EFF-07: Break-glass or emergency groups are excluded from normal membership evidence without activation, owner, and alert evidence +AR-EFF-08: Missing expansion evidence is counted as approved instead of Not Evaluable +``` + +**Effective-access evidence fields:** + +| Field | Purpose | +|---|---| +| Subject | User, service account, guest, or external principal being reviewed | +| Direct grants | App-local roles, direct groups, direct IAM roles, or explicit assignments | +| Indirect paths | Nested groups, dynamic groups, SCIM mappings, external IdP groups, app groups, and break-glass paths | +| Rule evidence | Dynamic rule expression, owner, source HR/IdP attributes, last evaluation time, and sample membership | +| Mapping evidence | Upstream IdP group, SCIM connector, downstream application role, last sync, and owner | +| Cycle/depth result | Maximum nesting depth reviewed, circular path detection, and unresolved paths | +| Drift controls | Attribute-change trigger, delta review, certification freshness, and post-certification membership changes | +| Decision | Approve / Revoke / Modify / Not Evaluable with certifier and rationale | + +**Severity guidance:** + +- Mark as **High** when privileged, production, financial, or regulated access is certified from direct grants only while nested/dynamic/external paths can still grant the same role. +- Mark as **Medium** when expansion exists but dynamic rule freshness, SCIM sync time, group owner, or cycle/depth evidence is incomplete. +- Mark as `Not Evaluable` when effective-access paths cannot be expanded far enough to prove what the certifier approved. + +--- + ### Step 3: Orphaned Account Detection **Objective:** Identify accounts with no valid owner or business justification. @@ -303,8 +343,8 @@ AR-ENF-08: No metrics or reporting on review completion rates and outcomes | Severity | Definition | Examples | |---|---|---| | **Critical** | Immediate unauthorized access risk or active SoD violation in financial/production systems | Terminated employee with active admin access; SoD conflict on payment systems | -| **High** | Significant privilege excess or governance gap with exploitation potential | Orphaned service accounts with production access; no access review process exists | -| **Medium** | Governance deficiency increasing risk over time | Rubber-stamped certifications; role explosion; reviews not on cadence | +| **High** | Significant privilege excess or governance gap with exploitation potential | Orphaned service accounts with production access; no access review process exists; privileged access certified without effective-access expansion | +| **Medium** | Governance deficiency increasing risk over time | Rubber-stamped certifications; role explosion; reviews not on cadence; dynamic group rule freshness missing | | **Low** | Process improvement opportunity | Inconsistent role naming; documentation gaps; review SLA slightly exceeded | --- @@ -347,11 +387,31 @@ AR-ENF-08: No metrics or reporting on review completion rates and outcomes ### Findings by Category - Review Scope & Cadence (Step 1): [count] - Entitlement Certification (Step 2): [count] +- Effective Access Expansion (Step 2.5): [count] - Orphaned Accounts (Step 3): [count] - Role Explosion (Step 4): [count] - Segregation of Duties (Step 5): [count] - Enforcement & Evidence (Step 6): [count] +### Effective Access Expansion Matrix + +| Subject | Entitlement | Direct Grants | Indirect Paths | Rule / Mapping Evidence | Cycle / Depth Result | Drift Control | Decision | +|---|---|---|---|---|---|---|---| +| | | | | | | | | + +### Effective Access Gate Results + +| Gate | Evidence Reviewed | Status | Risk | +|---|---|---|---| +| `AR-EFF-01` | | | | +| `AR-EFF-02` | | | | +| `AR-EFF-03` | | | | +| `AR-EFF-04` | | | | +| `AR-EFF-05` | | | | +| `AR-EFF-06` | | | | +| `AR-EFF-07` | | | | +| `AR-EFF-08` | | | | + ### Detailed Findings [Findings table] @@ -401,6 +461,7 @@ See the mapping table in the Framework Quick Reference section above for sub-con 5. **Role explosion masking risk** — When roles proliferate, reviewers cannot meaningfully assess what permissions a role grants. Pair reviews with role rationalization. 6. **SoD analysis done manually** — Manual SoD checks do not scale and miss cross-system conflicts. Implement conflict rules in IGA tooling. 7. **Evidence not retained** — Reviews happen but evidence is not preserved for the audit window. Configure IGA tools to retain decisions and timestamps. +8. **Certifying direct grants only** — Nested groups, dynamic rules, SCIM mappings, and external IdP groups can preserve access after direct assignments are removed. Certify effective access paths, not just exported direct roles. --- @@ -422,6 +483,9 @@ This skill processes identity and entitlement data that may contain adversarial - NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations — AC family: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final - CIS Controls v8, Controls 5 and 6: https://www.cisecurity.org/controls/v8 - NIST SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations: https://csrc.nist.gov/publications/detail/sp/800-162/final +- Microsoft Entra ID dynamic membership rules: https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership +- Okta group rules: https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-about-group-rules.htm +- SCIM protocol overview: https://scim.cloud/ - IGA Market Guide (Gartner) — for tooling context on access certification platforms - ISACA, Segregation of Duties in IT Environments: https://www.isaca.org @@ -443,4 +507,5 @@ This skill processes identity and entitlement data that may contain adversarial | Version | Date | Changes | |---|---|---| +| 1.0.1 | 2026-06-09 | Add effective-access expansion gates for nested groups, dynamic group rules, SCIM/external IdP mappings, cycle/depth checks, drift controls, and Not Evaluable handling. | | 1.0.0 | 2025-03-06 | Initial release | diff --git a/skills/identity/access-review/tests/benign/effective_access_expansion_complete.json b/skills/identity/access-review/tests/benign/effective_access_expansion_complete.json new file mode 100644 index 00000000..42fb913e --- /dev/null +++ b/skills/identity/access-review/tests/benign/effective_access_expansion_complete.json @@ -0,0 +1,110 @@ +{ + "fixture": "effective_access_expansion_complete", + "skill": "access-review", + "description": "Benign fixture where a certification packet includes direct grants, nested and dynamic group paths, SCIM mapping, owner evidence, cycle checks, and drift controls before access is approved.", + "review_campaign": { + "name": "q2-finance-saas-admin-review", + "period": "2026-Q2", + "systems": [ + "finance-saas" + ], + "certifier": "finance-it-owner" + }, + "subject": { + "user": "alex.chen@example.com", + "employment_status": "active", + "department": "Finance", + "user_type": "employee" + }, + "entitlement": { + "application": "finance-saas", + "role": "billing-admin", + "risk": "privileged-financial" + }, + "direct_grants": [], + "effective_access_paths": [ + { + "path": [ + "Okta dynamic group: finance-active-users", + "Entra group: finance-billing-admins", + "SCIM mapping: finance-saas billing-admin" + ], + "dynamic_rule": "department == Finance and employment_status == active", + "rule_owner": "finance-it", + "source_attributes": [ + "HRIS.department", + "HRIS.employment_status" + ], + "last_evaluated": "2026-06-01T10:00:00Z", + "sample_membership_observed": true, + "scim_last_sync": "2026-06-01T10:05:00Z", + "downstream_role_owner": "finance-platform", + "mapping_approved": true + } + ], + "cycle_and_depth": { + "max_depth_reviewed": 4, + "cycles_detected": false, + "truncated_paths": [] + }, + "drift_controls": { + "attribute_change_trigger": "HRIS delta triggers group reevaluation and access review exception queue", + "post_certification_change_review": "enabled", + "last_drift_test": "2026-05-28" + }, + "break_glass": { + "groups_in_scope": [ + "finance-breakglass-admins" + ], + "current_members": 0, + "activation_approval": "required", + "alerting": "enabled" + }, + "expected_gate_results": [ + { + "gate": "AR-EFF-01", + "status": "Pass", + "evidence": "Certification packet includes user-to-entitlement effective-access path." + }, + { + "gate": "AR-EFF-02", + "status": "Pass", + "evidence": "Nested group expansion is complete to depth 4 with no cycles." + }, + { + "gate": "AR-EFF-03", + "status": "Pass", + "evidence": "Dynamic group rule owner, attributes, expression, evaluation time, and sample membership are present." + }, + { + "gate": "AR-EFF-04", + "status": "Pass", + "evidence": "SCIM mapping from upstream group to downstream role is included and current." + }, + { + "gate": "AR-EFF-05", + "status": "Pass", + "evidence": "Attribute drift triggers reevaluation and exception review." + }, + { + "gate": "AR-EFF-06", + "status": "Pass", + "evidence": "No external IdP group is hidden from the certifier." + }, + { + "gate": "AR-EFF-07", + "status": "Pass", + "evidence": "Break-glass group is in scope with zero current members, approval, and alerting." + }, + { + "gate": "AR-EFF-08", + "status": "Pass", + "evidence": "No missing expansion evidence is counted as approved." + } + ], + "expected_assessment": { + "overall_status": "Pass", + "risk_rating": "Low", + "confidence": "High" + } +} diff --git a/skills/identity/access-review/tests/vulnerable/direct_grant_only_dynamic_group_gap.json b/skills/identity/access-review/tests/vulnerable/direct_grant_only_dynamic_group_gap.json new file mode 100644 index 00000000..3753d551 --- /dev/null +++ b/skills/identity/access-review/tests/vulnerable/direct_grant_only_dynamic_group_gap.json @@ -0,0 +1,124 @@ +{ + "fixture": "direct_grant_only_dynamic_group_gap", + "skill": "access-review", + "description": "Vulnerable fixture where a review revokes direct admin access but misses nested and dynamic group paths that still grant the same SaaS administrator role.", + "review_campaign": { + "name": "q2-finance-saas-admin-review", + "period": "2026-Q2", + "systems": [ + "finance-saas" + ], + "certifier": "line-manager-only" + }, + "subject": { + "user": "pat.rivera@example.com", + "employment_status": "transferred", + "department": "Marketing", + "user_type": "employee" + }, + "entitlement": { + "application": "finance-saas", + "role": "billing-admin", + "risk": "privileged-financial" + }, + "direct_grants": [ + { + "role": "billing-admin", + "decision": "revoke", + "enforced": true + } + ], + "missed_effective_access_paths": [ + { + "path": [ + "Okta dynamic group: finance-active-users", + "Entra nested group: legacy-finance-admins", + "SCIM mapping: finance-saas billing-admin" + ], + "dynamic_rule": "department was Finance at last sync", + "rule_owner": "unknown", + "source_attributes": [ + "stale HRIS.department" + ], + "last_evaluated": "unknown", + "sample_membership_observed": false, + "scim_last_sync": "unknown", + "downstream_role_owner": "unknown" + }, + { + "path": [ + "partner IdP group: finance-contractors", + "Entra group: external-finance-admins", + "finance-saas billing-admin" + ], + "external_idp_visible_to_certifier": false, + "mapping_approved": "unknown" + } + ], + "cycle_and_depth": { + "max_depth_reviewed": 1, + "cycles_detected": "not-tested", + "truncated_paths": [ + "legacy-finance-admins -> finance-active-users -> legacy-finance-admins" + ] + }, + "drift_controls": { + "attribute_change_trigger": "missing", + "post_certification_change_review": "missing", + "last_drift_test": "missing" + }, + "break_glass": { + "groups_in_scope": [], + "current_members": "unknown", + "activation_approval": "unknown", + "alerting": "unknown" + }, + "expected_gate_results": [ + { + "gate": "AR-EFF-01", + "status": "Fail", + "evidence": "Certification packet only reviewed direct grant revocation and did not build user-to-entitlement paths." + }, + { + "gate": "AR-EFF-02", + "status": "Fail", + "evidence": "Nested expansion is truncated at depth 1 and cycle detection was not tested." + }, + { + "gate": "AR-EFF-03", + "status": "Fail", + "evidence": "Dynamic group rule owner, last evaluation time, and sample membership are missing." + }, + { + "gate": "AR-EFF-04", + "status": "Fail", + "evidence": "SCIM and external IdP mappings to the SaaS role are not included." + }, + { + "gate": "AR-EFF-05", + "status": "Fail", + "evidence": "HR attribute drift after department transfer does not trigger recertification." + }, + { + "gate": "AR-EFF-06", + "status": "Fail", + "evidence": "Partner IdP group can grant access but is not visible to the certifier." + }, + { + "gate": "AR-EFF-07", + "status": "Not Evaluable", + "evidence": "Break-glass group membership, approval, and alerting are unknown." + }, + { + "gate": "AR-EFF-08", + "status": "Fail", + "evidence": "Missing expansion evidence was counted as approved after direct grant revocation." + } + ], + "expected_assessment": { + "overall_status": "Fail", + "risk_rating": "High", + "confidence": "Low", + "finding": "Direct grant revocation does not remove effective billing-admin access through dynamic, nested, SCIM, and external IdP paths." + } +}