Improve access review effective entitlement expansion gates

skills/identity/access-review/SKILL.md

@@ -159,6 +159,42 @@ AR-CERT-08: Delegated reviews without accountability (certifier delegates but is
 
 ---
 
+### Step 2.5: Effective Entitlement Expansion
+
+**Objective:** Prove the complete effective access graph before a certifier approves or revokes access.
+
+Direct group, role, or permission-set review is not sufficient when access can be inherited through nested groups, dynamic groups, birthright rules, cloud hierarchy bindings, application-local roles, database grants, or resource ACLs. Expand each principal's direct and indirect entitlements before certification so the reviewer sees the final permission and the path that grants it.
+
+**What to look for:**
+
+```
+AR-EFF-01: Direct groups reviewed but nested/transitive group memberships not expanded
+AR-EFF-02: Dynamic or birthright access rules not shown to certifiers
+AR-EFF-03: Cloud IAM inherited bindings omitted from project/account/app review
+AR-EFF-04: Application-local roles, database grants, or resource ACLs not reconciled to IdP identity
+AR-EFF-05: Effective permissions hidden behind friendly group names or permission-set labels
+AR-EFF-06: Group expansion has unresolved loops, missing source systems, or depth limits without Not Evaluable status
+AR-EFF-07: Certifier decision does not record whether effective permission path was visible
+AR-EFF-08: SoD analysis runs on direct assignments only, not expanded effective entitlements
+```
+
+**Required evidence fields:**
+
+| Evidence | Required Detail |
+|---|---|
+| Principal | User, service account, guest, group, or workload identity under review |
+| Direct entitlement | Direct group, role, permission set, app role, or grant |
+| Transitive path | Nested group, inherited cloud binding, permission-set assignment, or local ACL path |
+| Dynamic / birthright source | Rule, HR attribute, SCIM source, or automation that adds the principal |
+| Effective permission | Final privilege after expansion, including privileged actions and sensitive resources |
+| Source of authority | IdP, cloud IAM, app admin console, database, directory, or SaaS source |
+| Certifier visibility | Whether the reviewer saw the effective permission and entitlement path |
+| Decision | Approve, revoke, modify, exception, or Not Evaluable |
+
+**Finding classification:** Missing expansion evidence is **Medium** for ordinary access and **High** for privileged, production, regulated-data, or SoD-relevant access. Mark the entitlement **Not Evaluable** when transitive paths, inherited bindings, dynamic rules, or local roles cannot be resolved from the evidence.
+
+---
+
 ### Step 3: Orphaned Account Detection
 
 **Objective:** Identify accounts with no valid owner or business justification.
@@ -347,11 +383,18 @@ AR-ENF-08: No metrics or reporting on review completion rates and outcomes
 ### Findings by Category
 - Review Scope & Cadence (Step 1): [count]
 - Entitlement Certification (Step 2): [count]
+- Effective Entitlement Expansion (Step 2.5): [count]
 - Orphaned Accounts (Step 3): [count]
 - Role Explosion (Step 4): [count]
 - Segregation of Duties (Step 5): [count]
 - Enforcement & Evidence (Step 6): [count]
 
+### Effective Entitlement Expansion Matrix
+
+| Principal | Direct Entitlement | Transitive Path | Dynamic / Birthright Source | Effective Permission | Source of Authority | Certifier Visibility | Decision |
+|-----------|--------------------|-----------------|-----------------------------|----------------------|---------------------|----------------------|----------|
+| [user/service] | [group/role/grant] | [nested/inherited/local path] | [rule/source/N/A] | [final permission] | [IdP/cloud/app/db] | [Visible/Hidden/Unknown] | [Approve/Revoke/Modify/Not Evaluable] |
+
 ### Detailed Findings
 [Findings table]
 
@@ -402,6 +445,8 @@ See the mapping table in the Framework Quick Reference section above for sub-con
 6. **SoD analysis done manually** — Manual SoD checks do not scale and miss cross-system conflicts. Implement conflict rules in IGA tooling.
 7. **Evidence not retained** — Reviews happen but evidence is not preserved for the audit window. Configure IGA tools to retain decisions and timestamps.
 
+8. **Certifying direct assignments instead of effective access** -- Nested groups, dynamic membership rules, inherited cloud bindings, app-local roles, database grants, and resource ACLs can grant access that direct IdP group reviews never show. Expand the graph before certifier approval.
+
 ---
 
 ## Prompt Injection Safety Notice
@@ -419,6 +464,10 @@ This skill processes identity and entitlement data that may contain adversarial
 
 ## References
 
+- Microsoft Graph transitive memberOf: https://learn.microsoft.com/en-us/graph/api/group-list-transitivememberof?view=graph-rest-1.0
+- Google Cloud Policy Analyzer for allow policies: https://docs.cloud.google.com/policy-intelligence/docs/analyze-iam-policies
+- AWS IAM Access Analyzer unused access: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-unused.html
+
 - NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations — AC family: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
 - CIS Controls v8, Controls 5 and 6: https://www.cisecurity.org/controls/v8
 - NIST SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations: https://csrc.nist.gov/publications/detail/sp/800-162/final

skills/identity/access-review/tests/effective-entitlement-expansion-edge-cases.md

@@ -0,0 +1,132 @@
+# Access Review Effective Entitlement Expansion Edge Cases
+
+Use these fixtures to verify that the access-review skill requires effective entitlement expansion before certification. Each case should produce an effective entitlement expansion matrix with principal, direct entitlement, transitive path, dynamic or birthright source, effective permission, source of authority, certifier visibility, and decision.
+
+---
+
+## Case 1: Nested Group Grants Production Admin
+
+```yaml
+principal: alice-user
+direct_entitlements_reviewed:
+  - engineering-readonly
+transitive_membership:
+  path:
+    - engineering-readonly
+    - breakglass-admins
+    - production-admin
+  effective_permission: production_admin
+certifier_visibility:
+  direct_group_visible: true
+  transitive_path_visible: false
+```
+
+**Expected result:** High if production admin access is not shown to the certifier. Mark the entitlement Not Evaluable when nested/transitive group memberships are not expanded.
+
+**Required output markers:**
+
+- AR-EFF-01
+- Transitive path
+- Not Evaluable
+
+---
+
+## Case 2: Dynamic Birthright Rule Adds Sensitive Export Access
+
+```yaml
+principal: ben-user
+dynamic_group: finance-exporters
+rule: department == "Finance" and country == "US"
+rule_version: missing
+sample_timestamp: missing
+effective_permission: export_pii_reports
+certifier_visibility:
+  rule_visible: false
+  final_permission_visible: false
+```
+
+**Expected result:** Medium or High depending on data sensitivity. Require dynamic rule evidence, sample timestamp, source attributes, and certifier visibility before approval.
+
+**Required output markers:**
+
+- AR-EFF-02
+- Dynamic / birthright source
+- Effective permission
+
+---
+
+## Case 3: Inherited Cloud Binding Missed By Project Review
+
+```yaml
+principal: group:data-platform
+review_scope: payments-prod-project
+project_bindings_reviewed: true
+folder_binding:
+  inherited_to_project: payments-prod-project
+  role: roles/bigquery.admin
+  source_scope: folders/123456
+policy_analysis_attached: false
+```
+
+**Expected result:** High because inherited cloud IAM bindings can grant privileged production access outside a project-only review.
+
+**Required output markers:**
+
+- AR-EFF-03
+- inherited cloud binding
+- Source of authority
+
+---
+
+## Case 4: Application-Local Admin Role Outside IdP
+
+```yaml
+principal: contractor-user
+idp_groups:
+  - contractors-readonly
+saas_application: support_console
+local_role:
+  name: tenant_admin
+  assigned_directly_in_app: true
+  reconciled_to_idp: false
+database_grants:
+  - none
+```
+
+**Expected result:** High if the application-local admin role grants production or customer-data access. The review should not pass from IdP-only evidence.
+
+**Required output markers:**
+
+- AR-EFF-04
+- application-local roles
+- IdP identity reconciliation
+
+---
+
+## Case 5: Complete Effective Entitlement Evidence
+
+```yaml
+principal: svc-reporting-prod
+direct_entitlement: reporting-service-account
+transitive_path:
+  - reporting-service-account
+  - finance-report-readers
+dynamic_or_birthright_source: scim-service-account-owner=finance-platform
+effective_permission: read_finance_reports
+source_of_authority:
+  idp: okta
+  cloud_iam: gcp-policy-analyzer-export-2026-06-06
+  app: finance-reporting-admin-export-2026-06-06
+certifier_visibility:
+  effective_permission_visible: true
+  transitive_path_visible: true
+decision: approve
+```
+
+**Expected result:** Pass for the entitlement if owner, last activity, SoD status, and review evidence are also satisfactory.
+
+**Required output markers:**
+
+- Effective Entitlement Expansion Matrix
+- certifier visibility
+- approve