Investigate External Project Access Scanner Compatibility with CAI

[kevensen]

The External Project Access Scanner (referred to hereafter as EPAS) doesn't function the same as other scanners. Consider the following. We are in Organization A with Forseti deployed. A user has access to a project in Organization B. No logs and no API data in Org A expose this fact. Therefore, this information never ends up in Forseti's inventory.

In order to over come this, EPAS iterates over each user in Org A and obtains delegated credentials for each user. Using these delegated credentials, EPAS then queries for a list of projects for which the user has access. This list happens to include projects that or not necessarily in Org A.

This takes an extraordinary amount of time for large organizations. For this reason, EPAS is not included in a periodic run. It must be invoked manually. But this isn't the issue at hand.

The issue is that the CAI may not show a user's relation to projects outside of Org A. This needs to be investigated, confirmed, and hopefully resolved.