Google Workspace admin role assigned
Description
AlphaSOC detected an assignment of a Google Workspace administrative role via
the audit event ASSIGN_ROLE. While administrators perform legitimate
delegation and role management, adversaries or misconfigurations can use role
assignments to expand privileges and persist access across the tenant.
Impact
Unauthorized or unnecessary admin role assignments can enable tenant-wide configuration changes, user and data access escalation, and persistence of malicious administrative tooling. Such assignments can facilitate lateral movement, data access, or disabling of security controls.
Severity
| Severity | Condition |
|---|---|
Low | Google Workspace admin role assigned |
Investigation and Remediation
Review the Google Workspace audit logs for the ASSIGN_ROLE event and inspect
the ROLE_NAME and the affected account. Validate whether the role change was
authorized by checking change tickets, change windows, or documented delegation
policies. If the change is unauthorized, revoke the role, rotate credentials for
the actor account, and search for other suspicious admin actions from the same
principal. Apply least-privilege role assignments and require change approvals
for administrative role modifications.