Get quick insight into access data
Access explorer queries
To query your access data, navigate to Admin > Explore > Search.
On the Access explorer page you’ll find pre-built queries to help you explore and understand your organization’s access data so you can mitigate potential security risks. Here’s an overview of the available queries and the ways you can filter them to zoom in on the data that matters most to you.
| Query title | What the query shows | Available filters |
|---|---|---|
| Access profile memberships | All users’ access profile assignments. | By access profile By user |
| All accounts | All accounts for all applications. | By app By user |
| Inactive accounts | Accounts that have not been logged into within the timeframe you select. | By app (required) |
| Accounts without an account owner | All accounts for all applications with no account owner set. | By app |
| High-risk accounts | Accounts granted at least one entitlement designated high risk. | None |
| Orphaned accounts | All accounts for all applications with either no account owner or a deactivated user set as the account owner. | By app |
| Past grants | All accounts with access grants that have expired or been removed, with grant and removal dates. | By app By entitlement |
| Apps with a deactivated owner | Applications with a designated application owner whose account is deactivated. | By app |
| Apps with one owner | Applications that have a single designated application owner. | By app |
| Entitlements with a deactivated owner | Entitlements with a designated entitlement owner whose account is deactivated. | None |
| Entitlements with one owner | Entitlements that have a single designated entitlement owner. | None |
| All resources | All resources for all applications. | By app By resource type By risk level |
| Resources with a deactivated owner | Resources with a designated resource owner whose account is deactivated. | None |
| High-risk role grants (permanent) | All users granted a role designated high risk with no expiration on the grant. | None |
| High-risk role grants (temporary) | All users granted a role designated high risk with a time limit on the grant. | None |
| Standing privileges | Users with access grants that have no time limit. | By app |
| Users without a manager | Users with no manager user attribute set. | None |
| Users with an unspecified employment status | Users with no employment status user attribute set. | None |
Security dashboard
To help you quickly and easily track high-risk and sensitive access, the results of select access explorer queries are also summarized on the Security dashboard. Click a dashboard card to be directed to the query results page where you can view the data in more detail, filter the results (when filters are available), and create and download reports.
To access the security dashboard, navigate to Admin > Dashboard and click the Security tab.
The security dashboard shows quick summaries of the following categories:
Orphaned accounts - All accounts for all applications with either no account owner or a deactivated user set as the account owner.
High-risk accounts - Accounts granted at least one entitlement designated high risk.
Inactive accounts (past 30 days) - Accounts with no activity for the past month.
High-risk role grants (permanent) - All users granted a role designated high risk with no expiration on the grant.
Standing privileges - Users with access grants that have no time limit.
High-risk role grants (temporary) - All users granted a role designated high risk with a time limit on the grant.