Skip to main content
The By inheritance scope type lets you build an access review campaign around the resources and role assignments you care about, rather than listing every individual entitlement. C1 automatically resolves all the access that flows into your selections—including access inherited from parent resources and from group membership—so reviewers see the full picture of who can reach each resource and why. Resource-based selections work for any app in C1. Scope and role pair selections — where you review who holds a role at a specific level of a resource hierarchy — are only available for cloud infrastructure apps like Azure.

When to use scope by inheritance

Use By inheritance when:
  • You’re reviewing access to cloud infrastructure where permissions cascade through a hierarchy—for example, a role assigned at the subscription level that applies to every resource beneath it.
  • You want to see everyone who can reach a resource, not just everyone who holds a specific entitlement on it.
  • Users get their access indirectly—through group membership or a role assigned higher up the resource tree—and you want those indirect paths surfaced in the review.
  • You’d rather scope by resource than by individual entitlement. Selecting the resources you care about can be faster and clearer than listing entitlements, and C1 resolves each resource to the entitlements that apply to it.
If you’d rather scope by explicitly naming entitlements, use the standard By entitlements scope type instead.

How access inheritance works

In a cloud environment, a person can have access to a resource without any permission being assigned to that resource directly. By inheritance accounts for two paths:
  • Resource hierarchy. A role assigned high in the resource tree—for example, Contributor on a subscription—grants access to every resource beneath it. When you scope a campaign to a child resource, C1 walks up the parent chain and includes any roles that grant access from above.
  • Group membership. A user may hold access only because they belong to a group that was granted a role. C1 follows group membership chains so that underlying group access shows up in the review.
These two paths combine. If a group is assigned a role on a parent resource and a user belongs to that group, the review captures both the role assignment and the group membership that leads to it—giving reviewers the full picture of why someone has access.

Set up a campaign scoped by inheritance

1
Navigate to Governance > Campaigns and click New campaign.
2
Fill out the campaign details. Under Review scope type, select By inheritance, then click Continue.
3
Configure your scope selections. You can use one or both:
  • Scope and role pairs (cloud infrastructure apps only). Select a combination of a scope resource (such as a subscription) and a role (such as Owner) to review who holds that role within that part of the resource hierarchy.
  • Resources (any app). Select specific resources to review. C1 expands each selection to include access inherited from parent resources. For cloud infrastructure apps, the resource list shows the hierarchy so you can see parent and child relationships.
4
Optional. Apply additional filters to narrow the campaign:
  • Users — limit the review to a subset of users.
  • Accounts — limit by account criteria.
  • Grants — apply grant-level filters.
5
Click Validate scope to preview the access that will be included in the campaign.
6
Follow the remaining campaign setup steps to stage and start the campaign.
The same scope configuration is available on campaign templates, so a By inheritance scope can be reused on a schedule.

What reviewers see

Reviewers work through the resolved access just like any other campaign. Because the review is organized around resources, the By resource review style is recommended—it presents access grouped by resource and shows the resource hierarchy, which matches how the scope was defined. Reviewers can see not only the direct assignment but also the inherited path (the parent-resource role or the group membership) that produced the access.