OpenGraph Inheritance IncludeAll

OpenGraph - Inheritance & IncludeAll

This page explains the two OpenGraph flags that most directly change IAM edge volume and scope expansion behavior:

• --expand-inheritance
• --include-all

Use this page with:

• OpenGraph - Node/Edge Tables
• OpenGraph - IAM Conditionals
• OpenGraph - Default Priv Escalation Mode

TLDR

Flag	Default	What It Does	Typical Impact
--expand-inheritance	Off	Expands policy location inheritance across compartment ancestry/descendants for graph modeling.	More destination scope coverage from a single statement location.
--include-all	Off	Emits all IAM-derived edges/nodes, not just allowlist-focused high-signal edges.	Much larger graph and noisier path results.

Flag Details

--expand-inheritance

When enabled, OpenGraph expands policy-statement location context so inherited access relationships are represented in graph output.

Use this when:

• You need full inheritance-aware blast-radius analysis.
• You are validating whether a policy in parent scope influences descendant compartments.

Tradeoff:

• More complete scope modeling, but more edges and longer analysis cycles.

For example, assume we had Allow group 'Default'/'tenant_group' manage secret-family in tenancy set at the tenant level. Without inheritance, access appears scoped to tenancy secrets only. With inheritance enabled, edges are also drawn to child compartments.

Figure 1. Without --expand-inheritance, access stays scoped to tenancy-level secret targets.

Figure 2. With --expand-inheritance, inherited access is propagated to child compartments.

--include-all

When enabled, OpenGraph keeps all IAM edges/nodes that can be emitted by the pipeline, including lower-signal paths normally excluded from default allowlist-focused output.

Use this when:

• You are doing exhaustive IAM analysis.
• You need raw coverage for custom detections or bespoke edge research.

Tradeoff:

• Better completeness, but significantly more noise in graph output.

Combined Behavior

Using both flags together gives the largest output:

• --expand-inheritance increases where access can flow.
• --include-all increases what access relationships are retained.

Note you can also layer conditional evaluation on top of all of this.

This is useful for deep engineering review, but it is usually too noisy for fast operator triage.

For example, assume we had Allow group 'Default'/'tenant_group' {SECRET_INSPECT} in compartment Prod set at the tenant level. By default, we would not graph this edge because SECRET_INSPECT by itself is not a privilege-escalation vector. If you still want all edges, --include-all retains it as a generic OCI_POLICY_BUNDLE edge.

Figure 3. With --include-all, lower-signal IAM statements are retained as OCI_POLICY_BUNDLE evidence edges.

Command Patterns

# Default (high-signal focused)
modules run enum_oracle_cloud_hound_data

# Inheritance-aware graph expansion
modules run enum_oracle_cloud_hound_data --expand-inheritance

# Exhaustive IAM edge coverage (higher noise)
modules run enum_oracle_cloud_hound_data --include-all

# Maximum coverage + maximum noise
modules run enum_oracle_cloud_hound_data --expand-inheritance --include-all --cond-eval

Practical Guidance

1. Start with default output for triage.
2. Add --expand-inheritance when compartment hierarchy matters to the question.
3. Add --include-all only when you explicitly need exhaustive IAM path coverage.
4. Use OpenGraph - IAM Conditionals if where clauses are materially affecting expected edges.