CID Checks

On the Delinea Platform, Continuous Identity Discovery (CID) leverages a subset of checks designed to discover and secure privileged cloud identities that pose potential security risks. These include checks that are specific to vaulting in Secret Server as well as checks that are not specific to vaulting.

CID Checks results will be returned only if you use the built-in password changer for the application, because the checks require a strong identifier that includes both username and application.

The Delinea Platform provides checks for both ITP/PCCE and CID, but these are two separate products. You might have access to one product's capabilities without access to the other's.

See also:

• The complete list of available ITP/PCCE Checks

Vaulting-Specific Checks

Unvaulted Admin Credentials

Flags privileged accounts whose credentials are not stored securely in a password vault.

Unvaulted Admin Access Keys

Detects admins whose AWS access keys are not vaulted in Secret Server. All access keys and similarly sensitive information should be managed as vaulted secrets in Secret Server.

Supported for AWS only

Unvaulted Privileged Account Credentials

Identifies privileged user accounts whose credentials are not vaulted, creating the potential for unauthorized access.

You can configure privileged account definitions on the Collections page.

Unvaulted Privileged Account Access Keys

Detects privileged accounts whose AWS Access Keys are not vaulted in Secret Server. All access keys and similarly sensitive information should be managed as vaulted secrets in Secret Server.

Supported for AWS only.

You can configure privileged account definitions on the Collections page.

Unvaulted Shadow Admin Credentials

Highlights users with shadow admin rights that lack vault protection, increasing exposure.

Supported for Active Directory, AWS, Azure, GCP.

Unvaulted Shadow Admin Access Keys

Detects shadow admins whose AWS Access Keys are not vaulted in Secret Server. A shadow admin is a user without full administrative privileges, but with elevated privileges that grant them some control over other users or privileged administrative tasks. All access keys and similarly sensitive information should be managed as vaulted secrets in Secret Server.

Supported for AWS only

Unvaulted Local Admin on Windows Computers

Searches for user accounts that have administrative access to local computers/servers. Presence of unvaulted local administrator accounts increases risk of credential theft and lateral movement.

Supported only for Active Directory

Unvaulted App Registrations

Detects app registration with unvaulted in Secret Server. All log-in credentials and similarly sensitive information should be managed as vaulted secrets in Secret Server.

Supported only for Entra

Unvaulted PAM Bypassing Using Credentials

Identify privileged accounts (e.g., admins, shadow admins) that bypass Secret Server by using unvaulted credentials for logging in. This check analyzes account activities to detect whether a user accessed a cloud application without using vaulted credentials, and triggers alerts if the account has vaulted access but chooses non-vaulted access instead.

Ensure that privileged users can only access cloud applications through Secret Server using vaulted login credentials.

Based on activities Delinea collects.

This check includes all privileged accounts (admins, shadow admins, privileged accounts).

Vaulted PAM Bypassing Using Credentials

Identify vaulted privileged accounts (e.g., admins, shadow admins) that bypass Secret Server by storing credentials locally. This check analyzes account activities to detect whether a user accessed a cloud application, not through Secret Server despite having vaulted access.

Ensure Privileged Users Follow Security Best Practices

Access cloud applications through Secret Server using vaulted login credentials. Do not store credentials locally.

Based on activities Delinea collects.

This check includes all privileged accounts (admins, shadow admins, privileged accounts).

Other Checks, not Vaulting-Specific

Limit Number of Administrators

Limit the number of administrative accounts to ease audit efforts and reduce the potential impact of credential compromise.

You can set a threshold to define the expected number of admins for them, so the check won't fail.

Enable MFA for all Admins

Detects admin user accounts without multi-factor authentication enabled.

Delinea searches for any user account with the MFA property set to false. To ensure that the user has a chance to set up MFA before being detected, Delinea ignores any account that was never activated (staged) and any account that never performed an initial login (has a login date that is empty or set to 1970).

Limit Number of Administrators [Federated Access]

Detects federated admin accounts, as a new federated administrative account might be an indication of persistence or later movement achieved by an attacker. Validate that the user should be an admin; otherwise remove admin privileges.

Supported for apps that are not IdPs.

You can set a threshold to define the expected number of admins for them, so the check won't fail.

Limit Number of External Administrators

Detects admin accounts, as a new administrative account might be an indication of persistence or later movement achieved by an attacker. Validate that the user should be an admin; otherwise remove admin privileges.

Limit Number of Domain Admins

Domain Admins group should contain only the minimum number of necessary users. Excessive membership increases risk and management complexity.

You can set a threshold to define the expected number of admins for them, so the check won't fail.

Limit Number of Super Admins

Application-level admin roles grant users the highest scope of permission in the application, and increase the blast radius in the organization. Delinea recommends keeping their number as small as possible. Super admin is the most privileged type of role in Okta.

You can set a threshold to define the expected number of admins for them, so the check won't fail.

Limit Number of Organization Admins

Application-level admin roles grant users the highest scope of permission in the application, and increase the blast radius in the organization. Delinea recommends keeping their number as small as possible.

You can set a threshold to define the expected number of admins for them, so the check won't fail.

Limit Number of Global Admins

Application-level admin roles grant users the highest scope of permission in the application, and increase the blast radius in the organization. Delinea recommends keeping their number as small as possible.

You can set a threshold to define the expected number of admins for them, so the check won't fail.

Remove Shadow Admins

Detects accounts with shadow admin entitlements. A shadow admin is a user that does not have full administrative privileges but has sensitive privileges that grant them control over other users or sensitive administrative tasks. The policy logic tracks both local and federated accounts. The full list of shadow admin permissions that are evaluated and their combinations can be found here.

Supported for Active Directory, AWS, Azure, GCP.

App Registrations with Stale Credentials

Identifies App registrations with non-rotated credentials, ensuring adherence to organizational key rotation policies. Use the policy definition step to specify the number of days before a key must be rotated, as per your organizational policy.

Supported only for Entra

See also:

• ITP and PCCE

• Using Checks