Class: PermissionAnalysisResult
The Permission Analysis object describes analysis results of permissions,
policies directly associated with an identity (user, role, or service account).
This evaluates what permissions an identity has been granted through attached
policies, which privileges are actively used versus unused, and identifies
potential over-privileged access. Use this for identity-centric security
assessments such as privilege audits, dormant permission discovery, and
least-privilege compliance analysis.
URI: ocsf:PermissionAnalysisResult
classDiagram
class PermissionAnalysisResult
click PermissionAnalysisResult href "../PermissionAnalysisResult/"
Object <|-- PermissionAnalysisResult
click Object href "../Object/"
PermissionAnalysisResult : analyzed_privileges_count
PermissionAnalysisResult : condition_keys
PermissionAnalysisResult --> "*" KeyValueObject : condition_keys
click KeyValueObject href "../KeyValueObject/"
PermissionAnalysisResult : granted_privileges
PermissionAnalysisResult : policy
PermissionAnalysisResult --> "0..1 _recommended_" Policy : policy
click Policy href "../Policy/"
PermissionAnalysisResult : service_privilege_analysis_list
PermissionAnalysisResult --> "*" ServicePrivilegeAnalysis : service_privilege_analysis_list
click ServicePrivilegeAnalysis href "../ServicePrivilegeAnalysis/"
PermissionAnalysisResult : total_potential_attacks_count
PermissionAnalysisResult : unused_privileges_count
PermissionAnalysisResult : unused_services_count
Inheritance
- OcsfObject
- Object
- PermissionAnalysisResult
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| analyzed_privileges_count | 0..1 Integer |
The total count of privileges that were analyzed across all services | direct |
| condition_keys | * KeyValueObject |
The condition keys and their values that were evaluated during policy analysi... | direct |
| granted_privileges | * String |
The specific privileges, actions, or permissions that are explicitly granted ... | direct |
| policy | 0..1 recommended Policy |
Detailed information about the policy document that was analyzed, including | direct |
| service_privilege_analysis_list | * ServicePrivilegeAnalysis |
The list of privilege analysis results grouped by cloud service or namespace | direct |
| total_potential_attacks_count | 0..1 Integer |
The total count of privilege-to-attack technique mappings identified across a... | direct |
| unused_privileges_count | 0..1 Integer |
The total count of privileges or actions defined in the policy that have not | direct |
| unused_services_count | 0..1 Integer |
The total count of cloud services or resource types referenced in the policy | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| IamAnalysisFinding | permission_analysis_results | range | PermissionAnalysisResult |
In Subsets
Aliases
- Permission Analysis Result
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:PermissionAnalysisResult |
| native | ocsf:PermissionAnalysisResult |
LinkML Source
Direct
name: PermissionAnalysisResult
description: 'The Permission Analysis object describes analysis results of permissions,
policies directly associated with an identity (user, role, or service account).
This evaluates what permissions an identity has been granted through attached
policies, which privileges are actively used versus unused, and identifies
potential over-privileged access. Use this for identity-centric security
assessments such as privilege audits, dormant permission discovery, and
least-privilege compliance analysis.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Permission Analysis Result
is_a: Object
slots:
- analyzed_privileges_count
- condition_keys
- granted_privileges
- policy
- service_privilege_analysis_list
- total_potential_attacks_count
- unused_privileges_count
- unused_services_count
slot_usage:
analyzed_privileges_count:
name: analyzed_privileges_count
description: The total count of privileges that were analyzed across all services.
condition_keys:
name: condition_keys
description: 'The condition keys and their values that were evaluated during policy
analysis,
including contextual constraints that affect permission grants. These
conditions define when and how permissions are applied. Examples:
<code>aws:SourceIp:1.2.3.4</code>, <code>aws:RequestedRegion:us-east-1</code>.'
granted_privileges:
name: granted_privileges
description: 'The specific privileges, actions, or permissions that are explicitly
granted by
the analyzed policy. Examples: AWS actions like <code>s3:GetObject</code>,
<code>ec2:RunInstances</code>, <code>iam:CreateUser</code>; Azure actions like
<code>Microsoft.Storage/storageAccounts/read</code>; or GCP permissions like
<code>storage.objects.get</code>.'
policy:
name: policy
description: 'Detailed information about the policy document that was analyzed,
including
policy metadata, version, type (identity-based, resource-based, etc.), and
structural details. This provides context for understanding the scope and
nature of the permission analysis.'
recommended: true
service_privilege_analysis_list:
name: service_privilege_analysis_list
description: The list of privilege analysis results grouped by cloud service or
namespace.
total_potential_attacks_count:
name: total_potential_attacks_count
description: 'The total count of privilege-to-attack technique mappings identified
across all
analyzed privileges.'
unused_privileges_count:
name: unused_privileges_count
description: 'The total count of privileges or actions defined in the policy that
have not
been utilized within the analysis timeframe. This metric helps identify
over-privileged access and opportunities for privilege reduction to follow the
principle of least privilege. High counts may indicate policy bloat or
excessive permissions.'
unused_services_count:
name: unused_services_count
description: 'The total count of cloud services or resource types referenced in
the policy
that have not been accessed or utilized within the analysis timeframe. This
helps identify unused service permissions that could be removed to reduce
attack surface. Examples: AWS services like S3, SQS, IAM, Lambda; Azure
services like Storage, Compute, KeyVault; or GCP services like Cloud Storage,
Compute Engine, BigQuery.'
Induced
name: PermissionAnalysisResult
description: 'The Permission Analysis object describes analysis results of permissions,
policies directly associated with an identity (user, role, or service account).
This evaluates what permissions an identity has been granted through attached
policies, which privileges are actively used versus unused, and identifies
potential over-privileged access. Use this for identity-centric security
assessments such as privilege audits, dormant permission discovery, and
least-privilege compliance analysis.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Permission Analysis Result
is_a: Object
slot_usage:
analyzed_privileges_count:
name: analyzed_privileges_count
description: The total count of privileges that were analyzed across all services.
condition_keys:
name: condition_keys
description: 'The condition keys and their values that were evaluated during policy
analysis,
including contextual constraints that affect permission grants. These
conditions define when and how permissions are applied. Examples:
<code>aws:SourceIp:1.2.3.4</code>, <code>aws:RequestedRegion:us-east-1</code>.'
granted_privileges:
name: granted_privileges
description: 'The specific privileges, actions, or permissions that are explicitly
granted by
the analyzed policy. Examples: AWS actions like <code>s3:GetObject</code>,
<code>ec2:RunInstances</code>, <code>iam:CreateUser</code>; Azure actions like
<code>Microsoft.Storage/storageAccounts/read</code>; or GCP permissions like
<code>storage.objects.get</code>.'
policy:
name: policy
description: 'Detailed information about the policy document that was analyzed,
including
policy metadata, version, type (identity-based, resource-based, etc.), and
structural details. This provides context for understanding the scope and
nature of the permission analysis.'
recommended: true
service_privilege_analysis_list:
name: service_privilege_analysis_list
description: The list of privilege analysis results grouped by cloud service or
namespace.
total_potential_attacks_count:
name: total_potential_attacks_count
description: 'The total count of privilege-to-attack technique mappings identified
across all
analyzed privileges.'
unused_privileges_count:
name: unused_privileges_count
description: 'The total count of privileges or actions defined in the policy that
have not
been utilized within the analysis timeframe. This metric helps identify
over-privileged access and opportunities for privilege reduction to follow the
principle of least privilege. High counts may indicate policy bloat or
excessive permissions.'
unused_services_count:
name: unused_services_count
description: 'The total count of cloud services or resource types referenced in
the policy
that have not been accessed or utilized within the analysis timeframe. This
helps identify unused service permissions that could be removed to reduce
attack surface. Examples: AWS services like S3, SQS, IAM, Lambda; Azure
services like Storage, Compute, KeyVault; or GCP services like Cloud Storage,
Compute Engine, BigQuery.'
attributes:
analyzed_privileges_count:
name: analyzed_privileges_count
description: The total count of privileges that were analyzed across all services.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Analyzed Privileges Count
rank: 1000
alias: analyzed_privileges_count
owner: PermissionAnalysisResult
domain_of:
- PermissionAnalysisResult
- ServicePrivilegeAnalysis
range: integer
condition_keys:
name: condition_keys
description: 'The condition keys and their values that were evaluated during policy
analysis,
including contextual constraints that affect permission grants. These
conditions define when and how permissions are applied. Examples:
<code>aws:SourceIp:1.2.3.4</code>, <code>aws:RequestedRegion:us-east-1</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Condition Keys
rank: 1000
alias: condition_keys
owner: PermissionAnalysisResult
domain_of:
- PermissionAnalysisResult
- AccessAnalysisResult
range: KeyValueObject
multivalued: true
granted_privileges:
name: granted_privileges
description: 'The specific privileges, actions, or permissions that are explicitly
granted by
the analyzed policy. Examples: AWS actions like <code>s3:GetObject</code>,
<code>ec2:RunInstances</code>, <code>iam:CreateUser</code>; Azure actions like
<code>Microsoft.Storage/storageAccounts/read</code>; or GCP permissions like
<code>storage.objects.get</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Granted Privileges
rank: 1000
alias: granted_privileges
owner: PermissionAnalysisResult
domain_of:
- PermissionAnalysisResult
- AccessAnalysisResult
range: string
multivalued: true
policy:
name: policy
description: 'Detailed information about the policy document that was analyzed,
including
policy metadata, version, type (identity-based, resource-based, etc.), and
structural details. This provides context for understanding the scope and
nature of the permission analysis.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Policy
rank: 1000
alias: policy
owner: PermissionAnalysisResult
domain_of:
- PermissionAnalysisResult
- AdditionalRestriction
- Assessment
- Authorization
- DataClassification
- DataSecurity
- ManagedEntity
- SecurityControlProfile
- ScanActivity
- AccountChange
range: Policy
recommended: true
service_privilege_analysis_list:
name: service_privilege_analysis_list
description: The list of privilege analysis results grouped by cloud service or
namespace.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service Privilege Analysis List
rank: 1000
alias: service_privilege_analysis_list
owner: PermissionAnalysisResult
domain_of:
- PermissionAnalysisResult
range: ServicePrivilegeAnalysis
multivalued: true
total_potential_attacks_count:
name: total_potential_attacks_count
description: 'The total count of privilege-to-attack technique mappings identified
across all
analyzed privileges.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Total Potential Attacks Count
rank: 1000
alias: total_potential_attacks_count
owner: PermissionAnalysisResult
domain_of:
- PermissionAnalysisResult
range: integer
unused_privileges_count:
name: unused_privileges_count
description: 'The total count of privileges or actions defined in the policy that
have not
been utilized within the analysis timeframe. This metric helps identify
over-privileged access and opportunities for privilege reduction to follow the
principle of least privilege. High counts may indicate policy bloat or
excessive permissions.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unused Privileges Count
rank: 1000
alias: unused_privileges_count
owner: PermissionAnalysisResult
domain_of:
- PermissionAnalysisResult
- ServicePrivilegeAnalysis
range: integer
unused_services_count:
name: unused_services_count
description: 'The total count of cloud services or resource types referenced in
the policy
that have not been accessed or utilized within the analysis timeframe. This
helps identify unused service permissions that could be removed to reduce
attack surface. Examples: AWS services like S3, SQS, IAM, Lambda; Azure
services like Storage, Compute, KeyVault; or GCP services like Cloud Storage,
Compute Engine, BigQuery.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unused Services Count
rank: 1000
alias: unused_services_count
owner: PermissionAnalysisResult
domain_of:
- PermissionAnalysisResult
range: integer