Class: AccessAnalysisResult
The Access Analysis Result object describes access relationships and pathways
between identities, resources, focusing on who can access what and through
which mechanisms. This evaluates access levels (read/write/admin), access types
(direct, cross-account, public, federated), and the conditions under which
access is granted. Use this for resource-centric security assessments such as
external access discovery, public exposure analysis, etc.
URI: ocsf:AccessAnalysisResult
classDiagram
class AccessAnalysisResult
click AccessAnalysisResult href "../AccessAnalysisResult/"
Object <|-- AccessAnalysisResult
click Object href "../Object/"
AccessAnalysisResult : access_level
AccessAnalysisResult : access_type
AccessAnalysisResult : accessors
AccessAnalysisResult --> "1..*" User : accessors
click User href "../User/"
AccessAnalysisResult : additional_restrictions
AccessAnalysisResult --> "*" AdditionalRestriction : additional_restrictions
click AdditionalRestriction href "../AdditionalRestriction/"
AccessAnalysisResult : condition_keys
AccessAnalysisResult --> "*" KeyValueObject : condition_keys
click KeyValueObject href "../KeyValueObject/"
AccessAnalysisResult : granted_privileges
Inheritance
- OcsfObject
- Object
- AccessAnalysisResult
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| access_level | 0..1 recommended String |
The generalized access level or permission scope granted to the identity | direct |
| access_type | 0..1 String |
The type or category of access being granted to the identity | direct |
| accessors | 1..* User |
The identities that are granted access through the analyzed policy | direct |
| additional_restrictions | * AdditionalRestriction |
Details about supplementary restrictions and guardrails that may limit the | direct |
| condition_keys | * KeyValueObject |
The condition keys and their values that constrain when and how the granted | direct |
| granted_privileges | * String |
The specific privileges, actions, or permissions that are granted through the | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| IamAnalysisFinding | access_analysis_result | range | AccessAnalysisResult |
In Subsets
Aliases
- Access Analysis Result
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:AccessAnalysisResult |
| native | ocsf:AccessAnalysisResult |
LinkML Source
Direct
name: AccessAnalysisResult
description: 'The Access Analysis Result object describes access relationships and
pathways
between identities, resources, focusing on who can access what and through
which mechanisms. This evaluates access levels (read/write/admin), access types
(direct, cross-account, public, federated), and the conditions under which
access is granted. Use this for resource-centric security assessments such as
external access discovery, public exposure analysis, etc.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Access Analysis Result
is_a: Object
slots:
- access_level
- access_type
- accessors
- additional_restrictions
- condition_keys
- granted_privileges
slot_usage:
access_level:
name: access_level
description: 'The generalized access level or permission scope granted to the
identity
through the analyzed policy configuration. Common examples include Read, Write,
List, Delete, Admin, or custom permission levels.'
recommended: true
access_type:
name: access_type
description: 'The type or category of access being granted to the identity. This
describes
the nature of the access relationship, such as cross-account access, public
access, federated access, or third-party integration access. Examples include
''Cross-Account'', ''Public'', ''Federated'', ''Service-to-Service'', etc.'
accessors:
name: accessors
description: 'The identities that are granted access through the analyzed policy
configuration. This identifies the specific entity that can exercise the
permissions and helps assess the access relationship and potential security
implications. Examples include user accounts, service principals, roles,
account identifiers, or system identities.'
required: true
additional_restrictions:
name: additional_restrictions
description: 'Details about supplementary restrictions and guardrails that may
limit the
granted access, applied through additional policy types such as Resource
Control Policies (RCPs) and Service Control Policies (SCPs) in AWS, or other
policy constraints.'
condition_keys:
name: condition_keys
description: 'The condition keys and their values that constrain when and how
the granted
access can be exercised. These conditions define the circumstances under which
the access relationship is valid and the privileges can be used. Examples: IP
address restrictions like ''aws:SourceIp:192.0.2.0/24'', time-based constraints
like ''aws:RequestedRegion:us-east-1'', MFA requirements like
''aws:MultiFactorAuthPresent:true'', or custom conditions based on resource
tags
and request context.'
granted_privileges:
name: granted_privileges
description: 'The specific privileges, actions, or permissions that are granted
through the
analyzed access relationship. This includes the actual operations that the
accessor can perform on the target resource. Examples: AWS actions like
''sts:AssumeRole'', ''s3:GetObject'', ''ec2:DescribeInstances''; Azure actions
like
''Microsoft.Storage/storageAccounts/read''; or GCP permissions like
''storage.objects.get''.'
Induced
name: AccessAnalysisResult
description: 'The Access Analysis Result object describes access relationships and
pathways
between identities, resources, focusing on who can access what and through
which mechanisms. This evaluates access levels (read/write/admin), access types
(direct, cross-account, public, federated), and the conditions under which
access is granted. Use this for resource-centric security assessments such as
external access discovery, public exposure analysis, etc.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Access Analysis Result
is_a: Object
slot_usage:
access_level:
name: access_level
description: 'The generalized access level or permission scope granted to the
identity
through the analyzed policy configuration. Common examples include Read, Write,
List, Delete, Admin, or custom permission levels.'
recommended: true
access_type:
name: access_type
description: 'The type or category of access being granted to the identity. This
describes
the nature of the access relationship, such as cross-account access, public
access, federated access, or third-party integration access. Examples include
''Cross-Account'', ''Public'', ''Federated'', ''Service-to-Service'', etc.'
accessors:
name: accessors
description: 'The identities that are granted access through the analyzed policy
configuration. This identifies the specific entity that can exercise the
permissions and helps assess the access relationship and potential security
implications. Examples include user accounts, service principals, roles,
account identifiers, or system identities.'
required: true
additional_restrictions:
name: additional_restrictions
description: 'Details about supplementary restrictions and guardrails that may
limit the
granted access, applied through additional policy types such as Resource
Control Policies (RCPs) and Service Control Policies (SCPs) in AWS, or other
policy constraints.'
condition_keys:
name: condition_keys
description: 'The condition keys and their values that constrain when and how
the granted
access can be exercised. These conditions define the circumstances under which
the access relationship is valid and the privileges can be used. Examples: IP
address restrictions like ''aws:SourceIp:192.0.2.0/24'', time-based constraints
like ''aws:RequestedRegion:us-east-1'', MFA requirements like
''aws:MultiFactorAuthPresent:true'', or custom conditions based on resource
tags
and request context.'
granted_privileges:
name: granted_privileges
description: 'The specific privileges, actions, or permissions that are granted
through the
analyzed access relationship. This includes the actual operations that the
accessor can perform on the target resource. Examples: AWS actions like
''sts:AssumeRole'', ''s3:GetObject'', ''ec2:DescribeInstances''; Azure actions
like
''Microsoft.Storage/storageAccounts/read''; or GCP permissions like
''storage.objects.get''.'
attributes:
access_level:
name: access_level
description: 'The generalized access level or permission scope granted to the
identity
through the analyzed policy configuration. Common examples include Read, Write,
List, Delete, Admin, or custom permission levels.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Access Level
rank: 1000
alias: access_level
owner: AccessAnalysisResult
domain_of:
- AccessAnalysisResult
range: string
recommended: true
access_type:
name: access_type
description: 'The type or category of access being granted to the identity. This
describes
the nature of the access relationship, such as cross-account access, public
access, federated access, or third-party integration access. Examples include
''Cross-Account'', ''Public'', ''Federated'', ''Service-to-Service'', etc.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Access Type
rank: 1000
alias: access_type
owner: AccessAnalysisResult
domain_of:
- AccessAnalysisResult
range: string
accessors:
name: accessors
description: 'The identities that are granted access through the analyzed policy
configuration. This identifies the specific entity that can exercise the
permissions and helps assess the access relationship and potential security
implications. Examples include user accounts, service principals, roles,
account identifiers, or system identities.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Accessors
rank: 1000
alias: accessors
owner: AccessAnalysisResult
domain_of:
- AccessAnalysisResult
range: User
required: true
multivalued: true
additional_restrictions:
name: additional_restrictions
description: 'Details about supplementary restrictions and guardrails that may
limit the
granted access, applied through additional policy types such as Resource
Control Policies (RCPs) and Service Control Policies (SCPs) in AWS, or other
policy constraints.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Additional Restrictions
rank: 1000
alias: additional_restrictions
owner: AccessAnalysisResult
domain_of:
- AccessAnalysisResult
range: AdditionalRestriction
multivalued: true
condition_keys:
name: condition_keys
description: 'The condition keys and their values that constrain when and how
the granted
access can be exercised. These conditions define the circumstances under which
the access relationship is valid and the privileges can be used. Examples: IP
address restrictions like ''aws:SourceIp:192.0.2.0/24'', time-based constraints
like ''aws:RequestedRegion:us-east-1'', MFA requirements like
''aws:MultiFactorAuthPresent:true'', or custom conditions based on resource
tags
and request context.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Condition Keys
rank: 1000
alias: condition_keys
owner: AccessAnalysisResult
domain_of:
- PermissionAnalysisResult
- AccessAnalysisResult
range: KeyValueObject
multivalued: true
granted_privileges:
name: granted_privileges
description: 'The specific privileges, actions, or permissions that are granted
through the
analyzed access relationship. This includes the actual operations that the
accessor can perform on the target resource. Examples: AWS actions like
''sts:AssumeRole'', ''s3:GetObject'', ''ec2:DescribeInstances''; Azure actions
like
''Microsoft.Storage/storageAccounts/read''; or GCP permissions like
''storage.objects.get''.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Granted Privileges
rank: 1000
alias: granted_privileges
owner: AccessAnalysisResult
domain_of:
- PermissionAnalysisResult
- AccessAnalysisResult
range: string
multivalued: true