Others • Others

Orphan Roles

Description

This recipe identifies orphan roles in OvalEdge — roles that are not assigned to any user and do not have object-level permissions on jobs, dashboards, glossary terms, schemas, or tables. Detecting these roles helps maintain a leaner access management model and prevents the accumulation of redundant or unused roles.

Details

Orphan Roles Identification

Detect system roles not linked to active users, policies, or responsibilities to reduce security and governance risk.

Why this recipe matters

Orphan roles accumulate over time as organizations restructure teams, migrate systems, or change access policies. These unused roles create hidden risks, inflate system complexity, and mislead governance teams. This recipe identifies all roles not assigned to any user, not referenced in policies, and not used in audit logs.

Business value

Reduces access sprawl and simplifies role governance.
Improves audit readiness and security posture.
Eliminates unused roles that cause confusion in governance workflows.
Supports migration and cleanup activities.
Ensures accurate role-to-policy mapping in governance frameworks.

Who benefits

Security Teams
Data Governance Teams
Platform Admins
Compliance & Audit Stakeholders
Identity Management Teams

What you receive

Inactive roles list

Role–user mapping insights

Policy coverage gaps

Risk severity scoring

Cleanup recommendations

How the recipe works (guided flow)

Step 1 — Read roles, users, and mapping tables
Load all roles, users, assignments, and policy references.

Step 2 — Identify roles with no assigned users
Spot roles never mapped to any user profile.

Step 3 — Identify roles unused in any policy
Check policy-role relationships to detect dead mappings.

Step 4 — Cross-check audit logs
Confirm roles have not been used in access events.

Step 5 — Assign severity
Rank roles based on governance sensitivity.

Step 6 — Output orphan role register
Provide cleanup-ready dataset for IAM and governance teams.

Sample insights (illustrative)

Insight Category	What the recipe discovered	Business Impact
Unused roles	12 roles have zero user assignments.	Cleanup reduces IAM complexity & audit scope.
Policy gaps	4 roles are referenced in no policies.	Ensures only meaningful roles remain active.
High-risk roles	Some roles have elevated privileges but no owners.	Requires immediate investigation.

Before you run this recipe

Make sure the following ingredients are available:

Connected datasets are crawled and profiled
Columns have distinct counts and top values generated

Back to Recipes