A system to detect an abnormal classic authorizations, such as in a classic authorization system of a resource access management system, and take action is described. The system determines an anomaly score in from a model applied to a classic assignment event. An indicator score is determined from the classic assignment event applied to domain-based rules. The security action is taken based on a combination of the anomaly score and the indicator score.