website logo
HomeGithubSlack
⌘K
Overview
Quick Start
Supported Services
Running CloudGraph in EKS
Compliance
Rules Engine
AWS
Querying AWS Data
AWS Policy Packs
Billing Data
Services
Azure
Querying Azure Data
Azure Policy Packs
Services
GCP
Querying GCP Data
GCP Policy Packs
Services
K8s
Querying Kubernetes Data
Services
Docs powered by archbee 

AuthRoleAssignment

15min

Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.

Overview

You can currently query the following attributes on an Authorization Role Assignment

GraphQL
|
query {
  queryazureAuthRoleAssignment{
    id
    name
    type
    region
    subscriptionId
    scope
    roleDefinitionId
    principalId
    principalType
    canDelegate
    applications {
      id
      # Other fields and connections here...
    }
    groups {
      id
      # Other fields and connections here...
    }
    roleDefinition {
      id
      # Other fields and connections here...
    }
    servicePrincipals {
      id
      # Other fields and connections here...
    }
    users {
      id
      # Other fields and connections here...
    }
  }
}


Filtering

Get data for a single Authorization Role Assignment key that you know the ID for:

GraphQL
|
query {
  getazureAuthRoleAssignment(id: "12345") {
    id
    # Other fields here...
  }
}


Get data for all of the Authorization Role Assignments in a certain Azure subscription:

GraphQL
|
query {
  queryazureAuthRoleAssignment(filter: { subscriptionId: { eq: "12345" } }) {
    id
    # Other fields and connections here...
  }
}

# Note that in addition to "subscriptionId" you can
# Filter based on any of the following attributes:

# id
# name
# type
# region
# subscriptionId
# scope
# roleDefinitionId
# principalId
# principalType
# canDelegate

# And the following Dgraph filters can also be applied:

# has
# and
# or
# not
# regexp (regular expressions)

#  fulltext filters

# alloftext
# anyoftext


Get data for all of the Authorization Role Assignments that are NOT in a certain Azure subscription:

GraphQL
|
query {
  queryazureAuthRoleAssignment(filter: { not: { subscriptionId: { eq: "12345" } } }) {
    id
    # Other fields and connections here...
  }
}


Advanced Filtering

Get data for all of the Authorization Role Assignments that are connected to an application:

GraphQL
|
query {
  queryazureAuthRoleAssignment(filter: { has: applications } ) {
    id
    # Other fields and connections here...
  }
}

# Note that in addition to "applications" you can filter
# Using "has" based on any of the following attributes:

# id
# name
# type
# region
# subscriptionId
# scope
# roleDefinitionId
# principalId
# principalType
# canDelegate
# groups
# roleDefinition 
# servicePrincipals 
# users


Ordering

You can order the results you get back either asc or desc depending on your preference:

GraphQL
|
query {
  queryazureAuthRoleAssignment(order: { desc: name }) {
    id
    # Other fields and connections here...
  }
}

# Note that in addition to "name" you can filter
# Using "asc" or "desc" based on any of the following attributes:

# id
# name
# type
# region
# subscriptionId
# scope
# roleDefinitionId
# principalId
# principalType
# canDelegate


Only select and return the first two Azure Authorization Role Assignments that are found:

GraphQL
|
query {
  queryazureAuthRoleAssignment(first: 2, order: { desc: name }) {
    id
    # Other fields and connections here...
  }
}


Only select and return the first two Authorization Role Assignments that are found, but offset by one so keys two & three are returned:

GraphQL
|
query {
  queryazureAuthRoleAssignment(first: 2, order: { desc: name }, offset: 1) {
    id
    # Other fields and connections here...
  }
}


Aggregation

Count the number of Authorization Role Assignments across all scanned Azure subscriptions:

GraphQL
|
query {
  aggregateazureAuthRoleAssignment {
    count
    # Other fields and connections here...
  }
}

# Note that in addition to "count" you can request the
# Following min and max values based on attributes of your Authorization Role Assignment:

# idMin
# idMax
# nameMin
# nameMax
# typeMin
# typeMax
# regionMin
# regionMax
# subscriptionIdMin
# subscriptionIdMax
# scopeMin
# scopeMax
# roleDefinitionIdMin
# roleDefinitionIdMax
# principalIdMin
# principalIdMax
# principalTypeMin
# principalTypeMax


Count the number of Authorization Role Assignments in a single account. Note that you can apply all of the same filters that are listed above to aggregate queries:

GraphQL
|
query {
  aggregateazureAuthRoleAssignment(filter: { subscriptionId: { eq: "12345" } }) {
    count
    # Other fields and connections here...
  }
}


Examples

Find all of the Authorization Role Assignments that are in the eastus region across all your accounts:

GraphQL
|
query {
  queryazureAuthRoleAssignment(filter: { region: { eq: "eastus" } }) {
    id
    # Other fields and connections here...
  }
}


Kitchen Sink

Putting it all together; get all data for all Authorization Role Assignments across all regions for all scanned Azure subscriptions in a single query:

GraphQL
|
query {
  queryazureAuthRoleAssignment{
    id
    name
    type
    region
    subscriptionId
    scope
    roleDefinitionId
    principalId
    principalType
    canDelegate
    applications {
      id
      region
      appId
      applicationTemplateId
      apiAcceptMappedClaims
      apiKnownClientApplications
      apiPreAuthorizedApplications
      appRoles{
        id
        allowedMemberTypes
        description
        displayName
        isEnabled
        origin
        value
      }
      createdDateTime
      description
      disabledByMicrosoftStatus
      displayName
      groupMembershipClaims
      identifierUris
      isDeviceOnlyAuthSupported
      isFallbackPublicClient
      notes
      oauth2RequirePostResponse
      publicClientRedirectUris
      publisherDomain
      signInAudience
      spaApplicationRedirectUris
      webAppHomePageUrl
      webAppRedirectUris
      tags{
        id
        key
        value
      }
      authRoleAssignments {
        id
        # Other fields and connections here...
      }
      instancedBy {
        id
        # Other fields and connections here...
      }
      ownerGroups {
        id
        # Other fields and connections here...
      }
      ownerServicePrincipals {
        id
        # Other fields and connections here...
      }
      ownerUsers {
        id
        # Other fields and connections here...
      }
    }
    groups {
      id
      deletedDateTime
      classification
      createdDateTime
      description
      displayName
      expirationDateTime
      groupTypes
      isAssignableToRole
      mail
      mailEnabled
      mailNickname
      membershipRule
      membershipRuleProcessingState
      onPremisesDomainName
      onPremisesLastSyncDateTime
      onPremisesNetBiosName
      onPremisesSamAccountName
      onPremisesSecurityIdentifier
      onPremisesSyncEnabled
      preferredDataLocation
      preferredLanguage
      proxyAddresses
      renewedDateTime
      securityEnabled
      visibility
      allowExternalSenders
      isSubscribedByMail
      isArchived
      permissionGrants {
        id
        clientAppId
        clientId
        permission
        permissionType
        resourceAppId
      }
      settings {
        id
        deletedDateTime
        displayName
        templateId
        values {
          id
          name
          value
        }
      }
      appOwnerOf {
        id
        # Other fields and connections here...
      }
      authRoleAssignments {
        id
        # Other fields and connections here...
      }
    }
    roleDefinition {
      id
      name
      type
      region
      subscriptionId
      roleName
      description
      roleType
      permissions {
        id
        actions
        notActions
        dataActions
        notDataActions
      }
      assignableScopes
    }
    servicePrincipals {
      id
      deletedDateTime
      accountEnabled
      alternativeNames
      appDescription
      appDisplayName
      appId
      applicationTemplateId
      appOwnerOrganizationId
      appRoleAssignmentRequired
      appRoles {
        id
        # Other fields and connections here...
      }
      description
      disabledByMicrosoftStatus
      displayName
      homepage
      loginUrl
      logoutUrl
      notes
      notificationEmailAddresses
      preferredSingleSignOnMode
      replyUrls
      servicePrincipalNames
      servicePrincipalType
      signInAudience
      tokenEncryptionKeyId
      appRoleAssignedTo {
        id
        # Other fields and connections here...
      }
      appRoleAssignments {
        id
        # Other fields and connections here...
      }
      endpoints{
        id
        deletedDateTime
        capability
        providerId
        providerName
        providerResourceId
        uri
      }
      tags {
        id
        key
        value
      }
      appOwnerOf {
        id
        # Other fields and connections here...
      }
      instanceOf {
        id
        # Other fields and connections here...
      }
      authRoleAssignments {
        id
        # Other fields and connections here...
      }
    }
    users { 
      id
      deletedDateTime
      accountEnabled
      ageGroup
      city
      companyName
      country
      createdDateTime
      creationType
      department
      displayName
      employeeHireDate
      employeeId
      employeeType
      externalUserState
      externalUserStateChangeDateTime
      givenName
      isResourceAccount
      lastPasswordChangeDateTime
      mail
      mailNickname
      officeLocation
      onPremisesDistinguishedName
      onPremisesDomainName
      onPremisesImmutableId
      onPremisesLastSyncDateTime
      onPremisesSyncEnabled
      onPremisesUserPrincipalName
      otherMails
      passwordPolicies
      preferredLanguage
      proxyAddresses
      state
      surname
      usageLocation
      userPrincipalName
      userType
      preferredName
      responsibilities
      appOwnerOf{
        id
        # Other fields and connections here...
      }
      appRoleAssignments{
        id
        # Other fields and connections here...
      }
      authRoleAssignments{
        id
        # Other fields and connections here...
      }
    }
  }
}


References

Dgraph documentation on querying

Azure RBAC Documentation

Updated 03 Mar 2023
Did this page help you?
Yes
No
PREVIOUS
App Service Web App
NEXT
AuthRoleDefinition
Docs powered by archbee 
TABLE OF CONTENTS
Overview
Filtering
Advanced Filtering
Ordering
Aggregation
Examples
Kitchen Sink
References