ITP/PCCE Inventories

For both Identity Threat Protection and Privilege Control for Cloud Entitlements, Inventory pages provide a centralized and comprehensive view of all identities, access privileges, assets, and activities across an organization's cloud services and applications. This visibility is essential for detecting and mitigating identity risks and active threats, ensuring compliance, and maintaining a secure access baseline.

Inventories enable organizations to:

  • Detect and Eliminate Over-Privileges: By having a detailed inventory of access privileges, organizations can identify and mitigate over-privileges based on granular usage data and AI-based recommendations.

  • Monitor for Misconfigurations and Exposed Resources: Inventories help in detecting risky misconfigurations such as exposed Git repositories and stale file access on shared drives, thereby hardening the identity security posture.

You can use inventories to do the following:

  • Gain a holistic view of all the connected applications, their users, and access.

  • Identify important issues across your organization like stale cloud service accounts and users without MFA.

  • Define Collections that can later be reused for other product features such as security rules and reports.

The inventory pages display information that was either gathered from integrated systems or entered manually and then processed.

Inventory Types

Inventories are displayed on the following pages:

  • Identities: Displays identities and accounts.

    • Identity: A unique identity (human or nonhuman) that owns one or more cloud service accounts. A nonhuman identity could be a machine identity, an automatic identity, or any other identity that doesn’t belong to a human.

    • Account: A unique account (human or nonhuman) in a single application. A nonhuman account might be a service account, a workload, or even a user account that is used for automated tasks.

  • Groups: Displays entities that define permissions granted to multiple accounts. This could be an IdP group (like a group of engineers who use the same design tools to build their product or application) or an AWS role that grants the same permissions to similar actors. The Groups table displays the applications in which the groups are managed, not the applications to which those groups grant access.

  • Assets: Displays every object in integrated systems to which users can be granted access, like files, folders, databases, virtual machines, and applications.

  • Memberships: Displays all groups and their members. For example, if a group represents the Engineering department, the Membership inventory presents all its members. You can use this page to find the relationship between groups and their members, such as all groups a specific person belongs to.

  • Access Policies: Displays effective access and effective permissions. Effective access represents the permissions an entity (for example, a user) has on another entity (for example, an asset), based on what access was granted. Effective permissions are the combination of direct and indirect permissions used when accessing an object. You can use this page to find the relationship between an entity (cloud service user or group) and an asset.

  • Privileges: Displays a list of all privileges at all levels.

  • Activities: Shows actions taken by various identities, and when each action was done.

Inventories User Interface

To access inventories, click Inventory from the left navigation menu of the Delinea Platform. Select one of the choices from the secondary menu, such as Identities.

Searching by Custom Properties

You can search by custom application properties, such as subscriptions in Azure or public repositories in GitHub or GitLab. This enables you to better scope the results based on your unique organizational values.

Custom properties are added by:

  • The Delinea Platform: Each built-in integration exposes a set of custom properties. While custom properties retain the naming from their source, some imported properties are normalized on the platform with standard names.

  • Users: You can add custom properties (when building a custom integration) that enable you to import and search by any property from the source application.

Sorting the Inventory Table

Each inventory table has a default sort order, indicated by the dark arrow displayed in the column header:

To change the sort order, hover the pointer over a column header. When a dimmer arrow is displayed, you can click it to change the sort order.

Using Other Views

In addition to the Inventory table, most inventory items also have a single-entity view and a quick view.

Single-Entity View

To see more information about an inventory item, open its single-entity view by clicking either the entity name (leftmost table column) or the target name (in Access Policies, Membership, and Activities tables).

The single-entity view shows much more information about the inventory entity; for example, top incidents and MITRE tactics. You can investigate further using the Access Explorer.

Quick View

When you hover over the entity name, a quick view is displayed. The quick view shows a short list of commonly needed information. You can also investigate in the Access Explorer, show the entity in the source app (in some cases), and show the single-entity view.

Configuring Table Columns

You can customize the presentation of tables in the following ways:

  • Choose which columns are displayed

  • Resize the column widths

  • Change the order of the columns

These options are available in all inventory tables. Your choices are relevant to the specific page where you made the choices and will persist through future login sessions.

To set the displayed columns:

  1. From an inventory table, click Columns above the table. The list of available columns is displayed.

  2. To display a column, select it. To hide a column, clear its selection. The column display adjusts immediately. If a column name is dimmed, it cannot be hidden.

To set the column width:

  1. From an inventory table, point the cursor between column headings where you want to adjust the width until the cursor changes to multiple arrows.

  2. Drag the cursor left or right to adjust the column width.

To set the column order:

  1. From an inventory table, point the cursor at a column you wish to move. The gray column dividers on both sides are displayed.

  2. Drag and drop the column to its new position.

Exporting a Table as CSV

You can download a file in CSV format containing all information displayed on an inventory page. If the download is limited to a certain number of entries, that limit is displayed when hovering over the download icon. To download more entries than the limit allows, filter the table to sets with fewer than the maximum number of entries, then download each set separately.

Using Tags

Tags are descriptive keywords (metadata) attached to data so you can find the data by browsing or searching. Tags are displayed in inventory tables and in the single-entity view. To get more information about any system tag, hover your cursor over the tag to read an explanation.

When an application is integrated with the platform, entities tagged in the source system are similarly tagged in the platform. In some cases, the platform also applies its own tags.

You can apply tags manually from most inventory pages (except the Membership and Access Policies pages) or from the single-entity view. You can apply existing tags or create new tags. You can apply tags to one or multiple entities simultaneously.

To apply existing tags in an inventory page:

  1. Select the row you want to tag.

    To apply the same tag to multiple rows, select multiple rows.

  2. Click Add Tags, then click Add tags again.

  3. To apply an existing tag, select the tag, then click Save.
    You can search for tags by typing the first few letters.

To create and (optionally) apply new tags in an inventory page:

  1. Select an inventory row.

    If you intend to apply your new tag at the same time you create it, select one or more rows.

  2. Click Add Tags, then click Add tags again.

  3. Type a new tag name.

  4. Click Add New.

  5. (Optional) To apply the new tag, click Save.

    If you do not apply the tag, the new tag is still created. It can be applied to entities later. You can apply both existing and new tags in the same step.

  6. To add more new tags, type another new tag name and click Add New.

Filtering the Inventory Table

By default, each inventory page includes a table displaying all data relevant to the page. You can filter the table to show only the data you are interested in, creating granular queries to understand the inventories, groups, and assets in your environment. For example, you can display all the identities with admin privileges whose cloud service accounts were disabled or suspended (or are unknown).

For more information about the filter fields for each inventory, see Inventory Filter Properties.

If you have imported custom properties (shown at the end of the list), you can use those to filter. For more information on importing custom properties, see Searching by Custom Properties.

You can use these filter methods in the inventories:

  • Basic filter (Identities, Groups, Assets, and Privileges inventories). Filter the inventory table based on the properties of the inventory.

  • Advanced filter (Memberships, Access Policies, and Activities inventories). Filter an inventory table based on a broader set of properties as well as on the interconnected relationships and paths within the system. For example, you can filter for both actor and target.

Filter lines are connected by all AND operators or by all OR operators.

To split the current filter group into separate groups (thereby enabling more complex queries), click + and select AND or OR. To remove a filter group, hover and click X.

When there are options within a filter (for example, which apps an account can access), those options are always connected by OR.

You can also enter human-readable text (such as, "show me admins without MFA"). Click and type search text, then click Ask AI.

On many inventory pages, you can choose among predefined quick filters that are commonly used for that inventory.

To filter a table:

  • To add filter fields, click + and select from the available filter fields.

  • To remove fields, hover over a field and click X.

As you make each change to the filter fields, the displayed table is modified to match the new filter criteria.

Inventory filters support the following operands:

  • Exact matches:

    • In or Not In

    • Is Empty

  • Mathematical matches:

    • Equal to, Greater than, and so on

  • Date matches:

    • Yesterday, Last Week, Last Year, Custom, and so on

  • String matches:

    • Contains or Not contains

    • Ends with or Not Ends with

    • Starts with or Not Starts with

Inventory Filter Properties

This section is a reference to all the filter properties provided by the Delinea Platform in the Inventory pages.

Identities

Category  

Property  

Description  

Account  

Access To Apps  

The applications a cloud service user (or service account) can access. The access might be direct or indirect (such as federated access).  

Admin Access  

Cloud service user accounts with administrative privileges. You can specify the application for which you want to find users with admin access. To modify this setting, select Settings > Authorization Configuration.  

Blast Radius Risk  

Impact of an account to be taken over, based on the account’s access and type of access.  

Email  

Email of the cloud service user (or service account) as found in the application.  

First Name  

First name of the cloud service user (or service account) in an application. The First Name may vary from application to application.  

ID  

ID  

Incidents Count  

The number of incidents an account has (for example, the incidents in the AWS account).  

Is External  

Find accounts that are external (or not external). External accounts are based on the email and properties of the account being different from internal users (or as stated in the downstream application). 

Is Managed  

A managed account is managed by the current system's administrator. Use this filter to find all accounts your administrators have full control over, or those they do not control that have access to your systems.  

Is MFA Enabled  

Find applications where MFA is set (or not set). MFA settings may be different in different accounts; for example, MFA might be enabled in Okta but disabled in Slack.  

Last Login At  

Date of the last login in a specific application.

Last Name  

Last name of the cloud service user or service account. The Last Name may vary from application to application.  

Overall Risk  

The overall risk is calculated based on the probability that an account can be taken over and the blast radius risk (defined earlier in this table).

Detection Rule Name  

Cloud service users who match a specific detection rule; for example, finding all the users that matched the brute force attack.  

Privileged Access  

Cloud service user accounts with privileged access. You can select the application to identify users with privileged access. To modify this configuration, select Settings > Authorization Configuration.  

Shadow Admin Access  

Cloud service user accounts with shadow-admin privileges across various applications. You can choose the specific application for which you want to find users with shadow-admin permissions. Shadow-admin permissions grant users administrative capabilities with a reduced set of permissions they currently possess.  

Source App  

The application in which the account is a registered cloud service user. For example, if a user has federated access to AWS through an IDP (such as Okta), Okta is the source app, and AWS is found in the Access to app filter.  

Status  

The status of the account in the source application, such as Deleted, Disabled, Enabled, or Unknown.  

Sub Type  

All the available sub-types of non-human Identities.  

Tags  

Tags that are associated with the account (such as Admin, Privileged Access). Tags are created automatically by the AI engine, manually by the end user, or are based on tags in the source system.  

Take Over Risk  

The probability that an account will be taken over by an external identity.

Type  

User or Service Account 

Collection

Name  

The named Collection is used as a filter. All collection types can appear in the filter. If an Access-type collection is used, then the identities that matched will be returned.  

Identity  

Blast Radius Risk  

Identities are filtered based on the risk imposed by their access collection. This filter focuses on the highest Blast Radius among all related accounts, providing insights into the extent of potential damage in case of a security breach. With this filter, you can quickly locate critical accounts or high-risk cloud service users with extensive access permissions. Use this filter to prioritize security measures and reduce the overall risk of breaches.  

Department  

The department in which the identity works (for example, Customer Support, Sales, HR).  

First Name  

The first name of the identity. Taken from the primary account of the identity, which is often the HR system or the IdP.  

Hired At  

Date hired.

Last Name  

The last name of the identity. Taken from the identity’s primary account, which is often the HR system or the IdP.  

Manager  

The name of the identity’s manager.  

Name  

The name of the identity, which is either taken directly from the primary account of the identity (the HR system or IdP in most cases) or a combination of the First and Last names from the Primary account.  

Overall Risk  

Comprehensive risk of an identity, considering the combined risks of its individual accounts. Incorporates two main components: Account Takeover Risk, which gauges the vulnerability of the identity to unauthorized access, and Blast Radius, representing the highest scope of permission the identity can achieve. Use this filter to search for identities with significant security concerns, prioritizing measures to mitigate potential breaches and safeguard sensitive data.  

Source Apps  

All applications for which the identity has a registered user account. For example, if a user has federated access to AWS through an IdP (such as Okta), only Okta will be represented as the source app, and AWS will be in the Access to App filter.  

Tags  

Tags associated with the identity (such as Senior Employee, Involved in Credential Leak, Finance Employee). Tags are created automatically by the AI engine or manually.  

Take Over Risk  

The ease with which an attacker could gain access to any of an identity's connected accounts. This filter assesses the risk level posed by each individual account, providing a comprehensive understanding of the identity's overall security vulnerability. By utilizing this filter, you can identify identities with weak account security, so you can prioritize security enhancements and protect against potential unauthorized access and data breaches.  

Terminated At  

Terminated At

Title  

The job title of the identity (such as CTO, Software Engineer).  

Groups

Category  

Property  

Description  

Group  

Admin Access  

User accounts with administrative privileges. You can specify the application for which you want to find users with admin access. To modify this setting, select Settings > Authorization Configuration.  

Alternative Name  

The alternative name of the group is presented to users and reviewers across the platform alongside the group name and is used to provide a clearer name for of the group  

Collections

The named Collection is used as a filter. Filtering is based upon the results of the Collection query in this inventory. The filter result shows all the groups that matched the Collection.  

ID  

ID  

Incidents Counts  

The named Collection is used as a filter. Filtering is based upon the results of the Collection query in this inventory. The filter result shows all the groups that matched the Collection.  

Is Empty  

Empty groups or non-empty groups.  

Name  

The name of the group as stated in the source system.  

Origin Type  

The type of the group in the source application (such as AWS Role or Salesforce Profile).

Owner  

The name of the owner of the group, if any.  

Detection Rule Name  

Filter based on groups that matched a specific detection rule. For example, find groups that grant admin access.  

Privileged Access  

User accounts with privileged access. You can select the application to identify users with privileged access. To modify this configuration, select Settings > Authorization Configuration.  

Shadow Admin Access  

User accounts with shadow-admin privileges across various applications. You can choose the specific application for which you want to find users with shadow-admin permissions. Shadow-admin permissions grant users administrative capabilities with a reduced set of permissions they currently possess.  

Source App  

The app on which the group is managed.  

Tags  

Tags associated with the group (for example general, birthright group). Tags are created automatically by the AI engine, manually, or are based on the tags in the source system.  

Assets

Category  

Property  

Description  

Asset  

Created At  

Creation date of the asset, if available.  

Collections  

The named Collection is used as a filter. Filtering is based upon the results of the Collection query in this inventory. The filter result shows all the Assets that matched the Collection.  

ID  

ID  

Incidents Counts  

The number of incidents associated with the asset.  

Last Used At  

The last time the asset was used (accessed, modified, deleted or created). This data is available mainly for Secrets and Applications, and is not available in most other asset types.  

Name  

Name of the asset.  

Origin Type  

The type of the asset on the source application (for example: EC2 machine in AWS, or Application in Okta).  

Detection Rule Name  

Filter based on assets that matched a specific detection rule. For example, find production assets that can be accessed by non-admins.  

Source App  

The app on which the asset is managed.  

Tags  

Tags associated with the asset (for example, Production or Test Environment).  

Type  

Assets are "normalized" (grouped) to a minimal set of types across all applications. Assets can therefore be filtered by their "normalized" Type (such as Virtual Machine), and they can be filtered specifically by the name of the asset in the source system (for example, EC2 machines on AWS).  

Memberships

Filter  

Entity Type  

Category  

Property  

Description  

Actor  

Identity  

Account  

Same as Identities -Account  

See Identities.

Identity  

Collection

Same as Identities-Collection

See Identities.

Identity  

Identity  

Same as Identities - Identity  

See Identities.

Group  

Group  

Same as Groups inventory  

 

Target  

Group  

Group  

Same as Groups inventory  

 

Access  

Membership  

Added at  

Date when this membership was created.  

Added by  

Person who created this membership. 

Direct Access  

Direct Access  

Collections

Collections

Access Policies

Filter  

Entity Type  

Category  

Property  

Description  

Actor  

Identity  

Account  

Same as Identities -Account  

See Identities.

Identity  

Collection

Same as Identities -Collection

See Identities.

Identity  

Identity  

Same as Identities -Identity  

See Identities.

Group  

Group  

Same as Groups  

Target  

Asset  

Asset  

Created At  

Creation date of the asset, if available.  

Collections

The named Collection is used as a filter. Filtering is based on the results of the Collection query in this inventory, so the results will be all the Assets that matched the Collection.

ID  

ID  

Incidents Count  

The number of incidents associated with the asset.  

Last Used At  

The last time the asset was used (accessed, modified, deleted or created). This data is available mainly Secret or Applications assets, and is not available in most other asset types.  

Name  

Name of the asset.  

Origin Type  

The type of the asset on the source application (for example: EC2 machine in AWS, or Application in Okta).  

Detection Rule Name  

Filter based on assets that matched a specific detection rule. For example, find production assets that can be accessed by non-admins.  

Source App  

The app on which the asset is managed.  

Tags  

Tags associated with the asset (for example, Production or Test Environment).  

Type  

Assets are "normalized" (grouped) to a minimal set of types across all applications. Assets can therefore be filtered by their "normalized" Type (such as Virtual Machine), and they can be filtered specifically by the name of the asset in the source system (for example, EC2 machines on AWS).  

Access  

Access  

Collections

The named Collection is used as a filter. Only Access Collections will yield results in this inventory. 

Granted at  

Date when the access policy was created.  

Granted by  

Person who created the access policy.  

Is Direct  

A direct assignment of access is any access granted to the account/group directly and not through another group. When marked as Yes, only direct access will be shown and calculated in the result. When marked as No, not only indirect will be included. To include both options, do not use this filter.  

Last Used At  

Date when the access policy was most recently used.  

Limit Inheritance  

Include only the first asset in the system that matches the query. Does not return any inherited assets. For example, if you want to find administrative access in a file system, and a user has access to a folder that contains a file, this filter returns only the folder.  

Privilege  

Is Role  

Privileges of a role on different assets. Different users get the same privilege (through the same role), but on different assets. In the platform, this is called a local role.  

Privileges

Category  

Property  

Description  

Privilege  

Child Privileges  

Privilege that contains a specific child privilege. For example, search the privilege Add MFA and find every admin or similar role that can add MFA devices.

Is Role  

Filter on whether privilege represents a role on the application. 

Origin Name  

The name of the privilege in the source application.  

Source App  

The app on which the privilege is managed.  

Tags  

Tags associated with the privilege (for example, Production or Test Environment).  

Type  

Privileges are "normalized" (grouped) to a minimal set of types across all applications. Privileges can therefore be filtered by their "normalized" Type (such as Administrative), and they can be filtered by the name of the privilege in the source system (for example, ORG.ADMIN on GitHub).  

Activities

Filter  

Entity Type  

Category  

Property  

Description  

Actor  

Identity  

Account  

Same as Identities -Account  

See Identities.

Identity  

Collection

Same as Identities -Collection

See Identities.

Identity  

Identity  

Same as Identities -Identity  

See Identities.

Group  

Group  

Same as Groups  

Target  

Asset  

Asset  

Same as Access Policies - Target - Asset  

See Assets.

Identity  

Account  

Same as Identities -Account  

See Identities.

Identity  

Collection

Same as Identities -Collection

See Identities.

Identity  

Identity  

Same as Identities -Identity  

See Identities.

Group  

Group  

Same as Groups  

Privilege  

Privilege  

Child Privileges  

Privilege that contains a specific child privilege. For example, search the privilege Add MFA and find every admin or similar role that can add MFA devices.

Is Role  

Filter by whether the privilege represents a role on the application.

Origin Name  

The name of the privilege in the source application.

Source App  

The app on which the privilege is managed.  

Tags  

Tags associated with the privilege (for example, Production or Test Environment).  

Type  

Privileges are "normalized" (grouped) to a minimal set of types across all applications. Privileges can therefore be filtered by their "normalized" Type (such as Administrative), and they can be filtered specifically by the name of the privilege in the source system (for example, ORG.ADMIN on GitHub).  

Activity  

Activity  

Date  

The date when the activity was performed.  

Is Virtual  

Filter on whether an activity is virtual. Virtual activities are activities that are not logged in the external system but are represented as activities in the platform, such as login events.  

Success Status  

Success Status  

Tags  

Tags associated with the activity.