turbot/steampipe-mod-azure-compliance

Query: iam_user_access_administrator_role_restricted

Usage

powerpipe query azure_compliance.query.iam_user_access_administrator_role_restricted

SQL

with user_access_admin_role as (
select
id,
role_name,
subscription_id
from
azure_role_definition
where
role_name = 'User Access Administrator'
)
select
ra.id as resource,
case
when r.role_name is not null then 'alarm'
else 'ok'
end as status,
case
when r.role_name is not null then ra.subscription_id || ' has User Access Administrator role assigned at scope ' || ra.scope
else 'No User Access Administrator role assignments found.'
end as reason
, sub.display_name as subscription
from
azure_role_assignment ra
left join user_access_admin_role r on ra.role_definition_id = r.id
left join azure_subscription sub on sub.subscription_id = ra.subscription_id
where
r.role_name is not null;

Controls

The query is being used by the following controls: