Policy: Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.03 - Ensure that use of the 'User Access Administrator' role is restricted

Configures auditing against a CIS Benchmark item.

Level: 1

The User Access Administrator role allows users to manage user access to Azure resources. This role should be restricted to only those users who require it, as it grants significant permissions including the ability to assign roles to users, groups, and service principals.

Targets

This policy targets the following resource types:

Azure > IAM > Role Assignment

Primary Policy

This policy is used with the following primary policy:

Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews

Controls

Setting this policy configures this control:

Azure > CIS v5.0 > 5 - Identity Services > 5.03 - Periodic Identity Reviews > 5.03.03 - Ensure that use of the 'User Access Administrator' role is restricted

Policy Specification

Schema Type	`string`
Default	`Per Azure > CIS v5.0 > 05 - Identity Services`
Valid Values [YAML]	`Per Azure > CIS v5.0 > 05 - Identity Services` `Skip` `Check: Benchmark`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/cis

Policy Type URI

tmod:@turbot/azure-cisv5-0#/policy/types/r050303

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv5-0#/policy/types/r050303") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv5-0#/policy/types/r050303'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv5-0#/policy/types/r050303'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv5-0#/policy/types/r050303"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv5-0#/policy/types/r050303"