turbot/steampipe-mod-googleworkspace-compliance

Query: directory_user_is_delegated_admin

Usage

powerpipe query googleworkspace_compliance.query.directory_user_is_delegated_admin

Steampipe Tables

SQL

with dual_role_admins as (
select
primary_email,
full_name,
id
from
googledirectory_user
where
is_admin = true
and is_delegated_admin = true
),
summary as (
select
count(*) as dual_role_count
from
dual_role_admins
)
select
'organization' as resource,
case
when dual_role_count = 0 then 'ok'
else 'alarm'
end as status,
case
when dual_role_count = 0 then 'All super admin accounts are dedicated (no dual admin roles).'
else 'Found ' || dual_role_count || ' super admin account(s) that also have delegated admin roles.'
end as reason
from
summary;

Controls

The query is being used by the following controls: