The Roles page provides numerous ways to sort, filter, and rank the detected role information to remediate identity risks associated with roles and their permissions quickly.

The GCP CIEM data is in Technical Preview status.

Filter and Sort

Sortable Columns

Actionable Risk

Values: Critical, High, Medium, Low

Actionable Risk focuses on unused permissions, while Risk looks at all permissions. Actionable Risk is designed to help you achieve Least Permissive access.


Values: Critical, High, Medium, Low

This is a calculation of risk based on all permissions. See also: Understanding Risk Scoring.

% of Unused Permissions

This shows the number of unused permissions used with the role, per total permissions assigned to the role, shown as a percentage graph.

When remediating, immediately target the roles with the greatest exposure and refine them according to the suggestions.


For AWS, this reflects the number of users who can use this role.

For GCP, the membership number reflects the number of users, groups, and/or service accounts who are bound to this role.

Highest Access

See also: Understand Highest Access


  • Admin: Admin access granted
  • Write: Write access granted
  • Read: Read access granted
  • Empty Access: No permissions are granted at all


The findings on User pages include:

  • Admin
  • Inactive

Available Filters

  • Search: Free text search on terms in the resource name
  • Platform: by provider, e.g. AWS
  • Actionable Risks: By severity
  • Cloud Accounts: Account name/number by cloud provider (e.g. AWS)
  • Access Categories: Admin, Write, Read, or Empty Access
  • Findings: Admin , Inactive

Analyze and Remediate

To reduce a role’s entitlements, click on the role name to open the detail drawer and subtabs. The remediation options for roles work the same way as for Users.

Detail Drawers

The Users page organizes everything around the individual user.

  • Overview: Displays the critical permissions issues detected for this role, sorted by Risk and Actionable Risk.
  • Attached IAM Policies: Displays the policies to which this role is connected, sorted by unused permissions.
  • Role Details: Displays a summary of this role’s total granted permissions, group associations, activity, user ARN ID, and findings.

Optimization Examples

See the User Optimization Examples and follow the same pattern for Roles. You can:

  • Analyze the Role Permissions Details
  • Optimize a policy globally
  • Create a role-specific optimized policy
  • Delete an unused policy