Identities

Identities Description: Identities and accounts (human or non-human) in your organization.

The Identities inventory table shows the following:

  • Identities: A unique identity (human or nonhuman) that owns one or more accounts. A nonhuman identity could be a machine identity, an automatic identity, or any other identity that doesn’t belong to a human.

  • Accounts: A unique account (human or nonhuman) in a single application. A nonhuman account might be a service account, a workload, or even a user account used for automated tasks.

You can view the Identities page from Inventory > Identities.

The inventory page opens to display all the identities and accounts in your organization. You can drill down into an identity or account for detailed information. For example, you can click on an identity to see what assets they can use, what privileges they have on those assets, and how they got those privileges (directly, through an IDP, or through a group membership or role).

You can toggle between these views:

  • Identities view: List of all the unique identities.

  • Accounts view: List of identities according to their accounts.

Multiple accounts that belong to one identity are shown differently:

  • In the Identities view, they are shown as one account. By default, they are merged by matching the email address. To change the merge method, see Customize Identity Merging Rules.

  • In the Accounts view, they are shown as separate accounts.

When switching views, page filters remain active.

The inventory pages display information that was either gathered from integrated systems or entered manually and then processed by the platform.

Filter and modify the table display

By default, the Identities inventory table is sorted by number of incidents, in descending order. To customize the table view, you can:

  • Filter the content displayed

    The full list of filters is described in Inventory Filter Properties. You can search by using an account filter parameter to see the identities that have those accounts, or search using an identity filter to see accounts with those identities.

  • Save a filter as a Collection to be used in other parts of the platform

  • Change the sort order

  • Change the display of columns

  • Use tags

  • Export the data to a CSV

  • See a quick view of an entity

  • Zoom in on an entity by using its single-entity view

For more information about these filter and display options, see Inventories User Interface.

You can also investigate an entity in Access Explorer, by clicking the Access Explorer link,. For more information, see Access Explorer.

Insight into selected table data

In the Incidents column, click the value to see all incidents related to an Identity. The Incidents page opens with the right-side viewing pane showing the first incident. To see the details of a different incident, click the other incident.

You can use the following columns to understand the user’s access, as an alternative to looking at the Access Policy page:

  • The Source Apps column shows the access that federated apps have granted to each identity or account. This column represents the applications the user has accounts in.

  • The Access to Apps column shows the applications the user can access. For example, if the IdP is Okta, Okta is shown in the Source Apps column and all the apps that can be accessed through Okta are shown in the Access to app column.

Insight into selected filter options

  • To focus on federated apps, use Account Source App to filter for the federated apps you are interested in.

  • You can use the Admin access, Shadow Admin Access, and Privileged access filters to find accounts or identities with these kinds of access.

Identity filter examples

  • You can combine these two filters to find an Okta user who is an admin in an AWS account.

  • You can find all users with absolutely no admin rights by selecting the various admin filters and setting their value to No.

Customize Identity Merging Rules

Identity merging is the process by which different user accounts are merged into one identity. By default, Delinea merges accounts based on matching email addresses. The identity is named using the user’s first and last names or, if that can not be determined, the email address. Instead of merging accounts based on matching email addresses alone, you can customize the way that user accounts are matched by setting up your own merging rules.

Merging the identities can take up to a few hours, depending on the environment size and the merging rules.

To change the default merging rules:

  1. Choose Settings > Identity Merging.

  2. Select one of the following options:

    • Merge accounts with the same email

      (Default) Merges accounts that have identical email addresses.

      For example, the following accounts will be merged into the same identity:

      Account 1 (email): asmith@delinea.com

      Account 2 (email): asmith@delinea.com

    • Merge accounts with the same employee ID

      Merges accounts that share the same employee id.

      For example, the following accounts will be merged into the same identity:

      Account 1 (employee ID): 1033394

      Account 2 (employee ID): 1033394

      Merge accounts with the same email prefix

      Merges accounts that share the same email address prefix.

      For example, the following accounts will be merged into the same identity:

      Account 1 (email): asmith@delinea.com

      Account 2 (email): asmith@acme.com

    • Merge accounts with the same full name

      Merges accounts with identical first and last names.

      For example, the following accounts will be merged into the same identity:

      Account 1 (full name): Adam Smith

      Account 2 (full name): Adam Smith

    • Merge accounts matching full name to first name initial with last name

      Merges accounts where one has a full name and the other has the first name initial followed by the last name.

      For example, the following accounts will be merged into the same identity:

      Account 1(full name): Adam Smith

      Account 2 (first name initial + last name): ASmith

    • Merge accounts matching email prefix to first name initial + last name

      Merges accounts where the email prefix matches the first name initial and last name.

      For example, the following accounts will be merged into the same identity:

      Account 1 (email): asmith@delinea.com

      Account 2 (first name initial + last name): A.Smith

    • Merge accounts with the same email prefix matching to username/Login

      For example, the following accounts will be merged into the same identity:

      Account 1 (email): asmith@delinea.com

      Account 2 (username): asmith

    • Merge accounts with the same email matching exactly to username/Login

      For example, the following accounts will be merged into the same identity:

      Account 1 (email): asmith@delinea.com

      Account 2 (username): asmith@delinea.com

    • Merge accounts with the same email but replace

      Specify a replacement string to use when merging accounts with the same email address. You can define multiple such rules.

      Example:

      Merge accounts with email addresses that contain "_user", and replace "_user" with nothing (no replacement string specified).

      Result:

      The accounts adam_user@delina.com and adam@delinea.com will be merged into the same identity.

    • Merge accounts using regular expression pattern and replace

      Use regular expressions to create a more advanced merging configuration. You can define multiple such rules. Matching is case-insensitive.

      Example:

      Accounts starting with any number should be merged to "admin_”.

      Result:

      419asmith@delinea.com is merged into admin_asmith@delinea.com.