Using Access Explorer

The Access Explorer provides a visual representation of the relationships between identities, assets, and access policies. It displays membership or access policies based on the filter and source selected.

You can use the Access Explorer to find out the following:

  • How a cloud identity gains access to an asset

  • Which cloud identities have access to an asset

  • When access or membership was granted

Each rectangular block in the Explorer contains an icon that represents the cloud entity type (Asset, Identity, Account, or Group) or a logo that represents an application, as well as a name and type.

Direct vs. Indirect Access

Cloud service users can have direct or indirect access.

  • Direct access: The actor has been assigned permission to an asset directly. For example, a cloud service user has read access to a file.

  • Indirect access: The cloud service user has permission because they belong to a group or a role that enables access.

The following examples show how this is displayed in the Delinea Platform.

Direct Access Example

When you click the Access Explorer link, the Access Explorer shows that John Gregory has direct privileges to Okta.

Indirect Access Example

When you click the Access Explorer link, the Access Explorer shows that John Gregory is a member of the O365 service user group, and that the group has privileges to Okta.

In the Memberships and Access Privileges inventories, if you remove the Direct Access = Yes setting (because you want to show all entities, even if their access is indirect), the “Showing partial results of Memberships” message may be displayed. This indicates that calculating full effective access may take some time. To show the complete effective access list, create a Collection, which will calculate while you are working elsewhere.

To use the Access Explorer:

  1. In the From field, select a source type (Identity, Account, Asset, or Group), then select the entity, such as a cloud service user or an asset.

    If the Access Explorer was opened through one of the inventory views, the From source is already selected.

  2. In the Target field, select an option. The options vary depending on what you chose in From. The filters available are the same as those in the inventory in the From selection. For details about the filters, see Inventory Filter Properties.

  3. In the Access field, select an option. The options are the same as those in the Access Policies or Memberships inventory, except that “Direct” and “Limit Inheritance” are not available here. That is because the Access Explorer is limited to one source, so it can show that source’s full range of access, without any calculations. The data in the Access Policies and Memberships inventories is for multiple sources, so the range is less and it may need time to calculate.

Minimizing the Filter Bar

To minimize the filter bar, click the up caret in the filters section.

Grouping of Similar Entities

To save space in the Access Explorer graph, the platform automatically groups similar entities (assets, accounts, identities, or groups) when their privileges and applications are the same.

When looking at a group, Users and Identities are consolidated.

You can double-click on a grouping to display its contents.

Access Explorer Controls

In the bottom left corner of the Access Explorer graph is a control menu.

You can select Time created to see which accesses were created during a specific time. Click the clock and select a time period.

Focusing on an Object

Double-clicking an object designates the object as the Source.

  • When double-clicking an identity, you are shown all the assets it can access.

  • When double-clicking an asset, you are shown all the identities that have access to it.

  • When double-clicking a group or role, you are shown all the assets its members can access.

  • When double-clicking an account, you are shown all the assets it can access.

Moving a Node

To move a node, click and drag it while holding the mouse button.

Highlighting a Path

You can highlight a path from a node back to its source to see the full path of permission.

To highlight, click a node.

Quick “Hover” View

Quick views are available throughout the platform, providing useful information about the entity. In the Access Explorer graph, you can get information about each entity by hovering over it.

Click the title in the Quick View to open its single entity page.