OpenGraph Inheritance and Include All

OpenGraph - Inheritance & Include-All

This page covers the two flags that most change OpenGraph size and shape:

• --expand-inherited
• --include-all

TLDR

Flag	Default	What It Does	Typical Impact
--expand-inherited	Off	Expands inherited IAM scope fan-out through org/folder/project hierarchy	More reachable target scope from inherited bindings
--include-all	Off	Keeps broader IAM binding edges, not only high-signal dangerous-rule edges	Much denser graph and more noise

--expand-inherited

Use this when you want inheritance-aware pathing. For example, if a binding is attached at the organization level, you might not see the privilege escalation in the graph if you don't factor in inheritance. --expand-inherited makes sure that the organization binding propagates downwards to the projects which in turn can register priv escalation edges as it falls within an expected scope.

modules run enum_gcp_cloud_hound_data --expand-inherited --reset --out Bloodhound_Output.json

Typical use cases:

• parent-scope IAM binding blast-radius validation
• hierarchy-aware escalation review

--include-all

Use this when you want broader IAM relationship coverage. For example, you might want to see all bindings attached to user:alice@example.com even if the binding does not lead to privilege escalation.

modules run enum_gcp_cloud_hound_data --include-all --reset --out Bloodhound_Output.json

Typical use cases:

• engineering/debug validation
• custom research where you want lower-signal paths preserved

Combined Mode

modules run enum_gcp_cloud_hound_data --expand-inherited --include-all --reset --out Bloodhound_Output.json

This is maximum coverage and maximum noise.

Practical Guidance

1. Start with default mode for fast triage and --expand-inherited to get the best results.
2. Add --include-all only when you explicitly need exhaustive graph relationships.
3. Add --cond-eval only when testing conditional behavior paths (see OpenGraph - IAM Conditionals).