Persistence: Unmanaged Account Granted Sensitive Role
Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
A sensitive role was granted to an unmanaged account.
Unmanaged accounts can't be control by system administrators. For example, when the
corresponding employee left the company, the administrator can't delete the account.
Therefore, granting sensitive roles to unmanaged accounts creates a potential
security risk for the organization.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open the Persistence: Unmanaged Account Granted Sensitive Role
finding, as directed in Reviewing findings.
In the finding details, on the Summary tab, note the values of
following fields.
Under What was detected:
Principal email: the user who conducted the granting action
Offending access grants.Principal name: the unmanaged account who receives the grant
Offending access grants.Role granted: the sensitive role granted
Step 2: Research attack and response methods
Contact the owner of the Principal email field.
Confirm whether the legitimate owner conducted the action.
Check with the owner of the Offending access grants.Principal name field,
understand the origin of the unmanaged account.
Step 3: Check logs
On the Summary tab of the finding details panel, under the Related links
click the Cloud Logging URI link to open the Logs Explorer.
Step 4: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
Contact the owner of the project where the action was taken.
Remove the access of the owner of the Principal email if it is compromised.
Remove the newly granted sensitive role from the unmanaged account.
Consider convert the unmanaged account into managed account using the transfer tool,
and move this account under the control of system administrators.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nA sensitive role was granted to an [unmanaged account](/architecture/identity/migrating-consumer-accounts).\nUnmanaged accounts can't be control by system administrators. For example, when the\ncorresponding employee left the company, the administrator can't delete the account.\nTherefore, granting sensitive roles to unmanaged accounts creates a potential\nsecurity risk for the organization.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open the `Persistence: Unmanaged Account Granted Sensitive Role` finding, as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n2. In the finding details, on the **Summary** tab, note the values of\n following fields.\n\n Under **What was detected**:\n - **Principal email**: the user who conducted the granting action\n - **Offending access grants.Principal name**: the unmanaged account who receives the grant\n - **Offending access grants.Role granted**: the sensitive role granted\n\nStep 2: Research attack and response methods\n\n1. Contact the owner of the **Principal email** field. Confirm whether the legitimate owner conducted the action.\n2. Check with the owner of the **Offending access grants.Principal name** field, understand the origin of the unmanaged account.\n\nStep 3: Check logs\n\n1. On the **Summary tab** of the finding details panel, under the **Related links** click the **Cloud Logging URI** link to open the **Logs Explorer**.\n\nStep 4: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n- Contact the owner of the project where the action was taken.\n- Remove the access of the owner of the **Principal email** if it is compromised.\n- Remove the newly granted sensitive role from the unmanaged account.\n- Consider convert the unmanaged account into managed account using the [transfer tool](https://admin.google.com/ac/unmanaged), and move this account under the control of system administrators.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
