Quantifying Azure RBAC Wildcard Overreach

TL;DR

This paper presents Belshazaar, a framework that formalizes Azure RBAC wildcards, expands them into explicit permissions, and quantifies overreach, revealing significant privilege bloat and aiding in creating tighter security policies.

Contribution

Introduces Belshazaar, a novel two-stage method to analyze and quantify wildcard overreach in Azure RBAC, combining formal syntax expansion and a semantic overreach metric.

Findings

Approximately 50% of actions have cross-resource provider reach due to wildcards.

Effective permission sets are computationally feasible to determine.

Wildcard patterns can cause substantial privilege bloat in Azure RBAC.

Abstract

Azure RBAC leverages wildcard permissions to simplify policy authoring, but this abstraction often obscures the actual set of allowed operations and undermines least-privilege guarantees. We introduce Belshazaar, a two-stage framework that targets both the effective permission set problem and the evaluation of wildcards permissions spread. First, we formalize Azure action syntax via a context free grammar and implement a compiler that expands any wildcard into its explicit action set. Second, we define an ultrametric diameter metric to quantify semantic overreach in wildcard scenarios. Applied to Microsoft s official catalog of 15481 actions, Belshazaar reveals that about 50 percent of actions admit a cross Resource Provider reach when associated with non obvious wildcards, and that effective permissions sets are effectively computable. These findings demonstrate that wildcard patterns can introduce substantial privilege bloat, and that our approach offers a scalable, semantics driven path toward tighter, least-privilege RBAC policies in Azure environments.