Access Explorer

Access Explorer Description: A visual representation of the relationships between identities, assets, and access policies.

The Access Explorer displays membership or access policies based on the filter and source selected.

You can use the Access Explorer to find out the following:

  • how a cloud identity gains access to an asset

  • which cloud identities have access to an asset

  • when access or membership was granted

Each rectangular block in the Explorer contains an icon (that represents the cloud entity type: Asset/Identity/Account/Group) or logo (that represents an application), as well as a name, and a type.

Direct vs. Indirect Access

Cloud service users can have direct or indirect access:

  • Direct access - the actor (cloud service user, for example) has been assigned permission to an asset directly. For example, a cloud service user has read access to a file.

  • Indirect access - the cloud service user has permission because they belong to a group or a role that enables access.

The following example shows how this is displayed in the Platform:

Direct Access Example

When you click the Access Explorer link, the Access Explorer shows that John Gregory has direct privileges to Okta.

Indirect Access Example

When you click the Access Explorer link, the Access Explorer shows that John Gregory is a member of the O365 service user group, and that the group has privileges to Okta.

In the Memberships and Access Privileges inventories, if you remove the Direct Access = Yes (you want to show all entities, even if their access is indirect), the “Showing partial results of Memberships” message may be displayed.

This indicates that calculating full effective access may take some time. To show the complete effective access list, create a Collection (which will calculate while you are working elsewhere).

To use the Access Explorer:

  1. In the From fields, select a source type (Identity, Account, Asset, or Group) and then the entity itself, such as a cloud service user or an asset. (If the Access Explorer was opened through one of the inventory views, the From source will already be chosen.)

  2. In the Target field, select an option. The options will differ based on the From selection. The filters available are the same as those in the inventory in the From selection. The full list of filters is described in Inventory Filter Properties.

  3. In the Access field, select an option. The options are the same as those in the Access Policies or Memberships inventory, except that “Direct” and “Limit Inheritance” are not available here. That is because the Access Explorer is limited to one source, so it can show that source’s full range of access, without any calculations. The data in the Access Policies and Memberships inventories is for multiple sources, so the range is less and it may need time to calculate.

Minimizing the filter bar

To minimize the filter bar, click the up caret in the filters section.

Grouping of similar entities

To save space in the Access Explorer graph, the platform automatically groups similar entities (assets, accounts, identities, or groups) when their privileges and applications are the same.

When looking at a group, Users and Identities are consolidated.

You can double-click on a grouping to display its contents.

Controls

In the bottom left corner of the Access Explorer graph there is a control menu:

You can use the Time created feature to see which accesses were created during a specific time. Click the clock and select a period.

Focusing on an object

Double-clicking on an object designates the object as the "Source".

  • When double-clicking an identity, you are shown all the assets it can access.

  • When double-clicking an asset, you are shown all the identities that have access to it.

  • When double-clicking a group or role, you are shown all the assets its members can access.

  • When double-clicking an account, you are shown all the assets it can access.

Moving a Node

To move a node, click it and move it while holding the mouse button.

Highlighting a path

You can highlight a path from a node back to its source to see the full path of permission.

To highlight, click a node.

Quick “Hover” View

Quick views are available throughout the platform, providing useful information about the entity. In the Access Explorer graph, you can get information about each entity by hovering over it.

Click on the title in the Quick View to open its single entity page.