StratoLens LogoStratoLens

Filters & Sort

Filtering is how Role Assignments turns a tenant-wide RBAC dump into a focused review. The four header filters narrow which principals show up and which assignments appear in the open detail panel. Search and sort help once the list is the right size.

On This Page

Header Filters

Four filters live in the header. On narrow windows they collapse behind a Filters button with a numeric badge for the count of active filters across all four.

Filters

Principal Type
User, Group, Service Principal. User and Group are pre-selected by default.
Role / Role Category
Pick by role category (Admin, Management, Read, Other) or by specific role names. See Role Categories.
Scope / Scope Type
Management Group, Subscription, Resource Group, Resource.
Source / Assignment Source
Direct, Inherited (via Group), or both.

Service principals are hidden by default

Service principals usually account for most of the noise in a tenant's RBAC, so they're excluded from the default view. Add Service Principal to the Principal Type filter when you need them.

How Filters Combine

Filters use AND across categories and OR within a category.

Worked example

If you select:

  • Role Category = Admin
  • Scope Type = Subscription, Resource Group

The list shows principals who have at least one assignment that is Admin-tier AND at subscription scope OR resource-group scope. A principal whose only Admin assignment is on a single resource will not appear.

Filters update everything live

Changing any filter immediately rebuilds the principal list, the count badges next to each principal, and (if a panel is open) the assignment cards. Principals whose assignments don't match any active filter disappear from the list rather than appearing greyed out. Broaden a filter to bring them back.

Role Categories

Every role definition is mapped to a category based on name patterns, so a tenant with hundreds of role definitions becomes a tractable four-bucket view.

Categories

Admin
Highest-privilege roles: Owner, User Access Administrator, anything containing Administrator.
Management
Roles that can change resources: Contributor, Manager, Operator.
Read
Read-only roles: Reader, Viewer, Monitoring Reader, and similar.
Other
Custom roles and specialty roles that don't match the patterns above.

Custom roles can land in unexpected categories

A custom role named like a built-in (for example, Custom Owner) may be classified as Admin because the mapping is based on name patterns. If you rely on the Admin filter for privileged-access reviews, spot-check the role names that show up there.

Azure RBAC only

Categories and counts reflect Azure RBAC at scan time. Privileged Identity Management (PIM) eligible roles and access granted via custom external systems aren't represented here unless they were activated as standard role assignments when the scan ran.

The Search box filters principals by display name (case-insensitive). It composes with the other filters: a name match still has to satisfy the active Principal Type, Role, Scope, and Source filters to appear.

Principals Sort

The dropdown next to the Principals header changes how the column is ordered.

Sort options

A-Z
Alphabetical by display name. Default.
Privileged
Ranks principals by count of Admin-tier assignments first, then Management, then alphabetically. Useful for "who has the most Owner roles?" reviews.
Count
Total assignment count, descending.

Detail Panel Sort

Inside the Access Details panel, the Sort by dropdown reorders the assignment cards.

Sort options

Privilege Level
Most privileged first (Admin → Management → Read → Other), with broadest scope first within each tier. Default.
Assigned Date
When the assignment was created in Azure.
Scope
Groups assignments by scope type (management group, subscription, resource group, resource).
Alphabetical
By role definition name.
← Previous: Using the PageNext: Inherited Assignments →