---
title: >-
  Role assignments should not grant the User Access Administrator role at root
  scope
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Role assignments should not grant the
  User Access Administrator role at root scope
---

# Role assignments should not grant the User Access Administrator role at root scope
 
## Description{% #description %}

The User Access Administrator role grants the ability to manage access to all Azure resources. When assigned at root scope (`/`), this privilege extends across every management group, subscription, and resource in the tenant. Assigning this role at root scope creates an elevated attack surface: any compromise or misuse of such an account could allow RBAC changes across the entire tenant. This assignment should be reserved for break-glass scenarios and removed once the task is complete.

## Remediation{% #remediation %}

Remove any User Access Administrator role assignments scoped to `/` that are not required. Use the Azure portal under Microsoft Entra ID > Properties > Access management for Azure resources, or remove assignments directly in Subscriptions > Access control (IAM). See [Elevate access to manage all Azure subscriptions and management groups](https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin).