Privilege Assignment Monitoring (Role Grant Alerting)
Description
Continuously monitor the effective set of users holding high-privilege application roles and alert when new grants are detected that do not correspond to an approved change management ticket. A scheduled job or event-driven trigger enumerates users who hold sensitive roles (realm-admin, cluster-admin, org-owner, or equivalent), compares the current membership against a known-good baseline or an allowlist maintained in a change management system, and raises an alert for any additions. Detects privilege escalation after the fact — even when the escalation mechanism bypasses normal authorization checks — by monitoring the outcome (a new high-privilege user) rather than the mechanism. Complements preventive RBAC controls by providing a safety net when the authorization enforcement itself is the vulnerable component.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Attack Complexity (AC) | L → H | Compensating control: unauthorized privilege grants are detected by outcome monitoring regardless of the escalation mechanism, forcing the attacker to also evade the membership audit or accept detection within the monitoring interval. |
| Confidentiality (C) | H → L | The window during which the attacker holds escalated privileges — and can access confidential resources — is bounded by the monitoring interval; detection triggers revocation of the unauthorized grant. |
CWE Relationships
Verification
Verify that a scheduled job or event-driven monitor tracks high-privilege role membership and alerts on unauthorized additions. Grant a test user a high-privilege role and confirm an alert fires within the expected interval.
# Expected: Lists all users with realm-admin role; compare against approved baseline