This rule detects the creation of custom admin roles within Google Workspace, which could indicate malicious intent to escalate privileges for a user account. Adversaries may leverage the capability to create custom admin roles to modify user permissions and escalate their access, potentially leading to unauthorized actions or lateral movement across the organization's environment. The detection identifies relevant events related to IAM, specifically for actions resulting in new roles being created. Upon triggering, analysts are prompted to verify the legitimacy of the action and the associated user, taking into account the possibility of false positives stemming from legitimate administrative activities. The rule is implemented to enforce best practices of least privilege, ensuring that role assignments reflect proper permission policies.