This document provides information about the Identities report screen. This report shows information about access permissions, unauthorized identity access, recommendations, and identities.
The Identities report for Azure identities includes only those with at least one role assigned to an Azure resource.
Path to access
- Access Cloud Security.
- Access the Cloud Entitlements product.
- In the side menu, click Identities.
Actions menu
| Item |
Type |
Description |
| + Add |
Dropdown menu |
Directs to the Create new user panel. The options available are: New AWS User and New Azure User. |
Search fields
| Item |
Type |
Description |
| Search |
Text field |
Filters the identities based on the entered keywords. |
| Provider |
Dropdown menu |
Filters the identities by their provider. The options are: AWS, GCP, Azure and Oracle. This filter is shown by default. |
| Environment |
Dropdown menu |
Filters the identities by their environments. This filter is shown by default. |
| Type |
Dropdown menu |
Filters the identities by their type. The options are: User, Group, Roles and Application. This filter is shown by default. |
| Recommendations |
Dropdown menu |
Filters the identities by their criticality level. You can select multiple levels of criticality at the same time. The levels are: High, Medium, Low and Info. This filter is shown by default. |
| Identities in a group |
Checkbox |
Filters the identities based on whether the principal is part of a group or not. This filter is shown by default. |
| Administrator |
Checkbox |
Filters the identities based on whether the principal is an administrator or not. This filter is shown by default. |
| Active JIT |
Checkbox |
Filters the identities based on whether the identity has a JIT access active or not. |
| Clear filter |
Button |
Clears all filters applied. |
| Export data in CSV |
Button |
Opens the Export data in CSV window. |
| Refresh |
Button |
Refreshes the report. |
| Show/Hide columns |
Button |
Opens a card to show or hide columns in the report. |
Report fields
- Provider.
- Cloud ID: ID of the cloud account. This column must be enabled manually through the Show/Hide columns button.
- Environment.
- Principal.
- Type.
- Score: score of the identity. This column must be enabled manually through the Show/Hide columns button.
- Impact.
- Total issue: amount of recommendations of the identity. This column must be enabled manually through the Show/Hide columns button.
- Recommendations.
- Last scan check: date and time of the last scan. This column must be enabled manually through the Show/Hide columns button.
- Creation date: identity creation date and time. This column must be enabled manually through the Show/Hide columns button.
:::(Alert) (Alert)
If an AWS account access key is no longer valid, a red alert will be displayed next to the account icon, and as a result, the date and time of the last scan synchronization will no longer be updated.
:::
Info
- Cloud Entitlements scans the environments every 4 to 10 minutes.
- By default, the report displays 25 records per screen. To go to the next screen, click the forward buttons at the end of the report.
Identities details
This section provides information about the details of an identity. You can view the details of an identity by clicking on it.
Identities section
| Item |
Description |
| Identity type |
Type of identity. The options are: User, Group, Roles, Application and Service account. |
| Group |
Group that the identity belongs to. |
| ARN |
Unique identifier for the AWS identity. This field is only visible for AWS identities. |
| Has admin access |
Shows if the identity has administrator access. The options are: Yes or No. |
| Auth method |
Shows all authentication methods associated with the identity. This field is only visible if the identity is an User. |
| + Owner |
Displays and assigns an owner to an identity. |
| Show less/Show more |
Displays more or less information about the identity. |
| Delete |
Deletes the identity. This option is currently only available for Azure and AWS identities. |
Recommendations tab
| Item |
Description |
| Recommendations |
Displays all recommendations suitable for the identities. |
| Compliant |
Displays all recommendations that are in compliance with the provider. |
Findings tab
This tab varies according to the provider of the identity selected. See the following tables for each provider:
Findings tab for Amazon Web Services
Policies table
| Item |
Description |
| Search |
Filters the policies based on the entered keywords. |
| Refresh |
Refreshes the table to update the policies. |
| + Add |
Adds a temporary policy. This button is only available if your account integration mode is Read and Write. More information in How to connect an AWS account. |
| Policy |
Policy attached to the identity. |
| Type |
Policy type. The types are: Group policy and Attached policy. |
| Expiration date |
Expiration date of the policy. |
| Remove |
Removes the policy. More information in How to remove policies in AWS. |
Access keys table
| Item |
Description |
| Search |
Filters the access keys based on the entered keywords. |
| Refresh |
Refreshes the table to update the access keys. |
| + Add |
Adds an access key. This button is only available if your account integration mode is Read and Write. More information in How to add an access key to an AWS identity. |
| Key ID |
Access key ID. |
| Status |
Access key status. |
| Creation date |
Access key creation date. |
| Access Key last use |
Access key last use date. |
| Remove |
Removes the access key. More information in How to remove AWS access keys. |
Service usage table
| Item |
Description |
| Search |
Filters the services based on the entered keywords. |
| Filter list |
Filters the services based on their last use date. |
| Service |
Service name. |
| Policy |
Policy attached to the identity and service. |
| Date |
Service last use date. |
Findings tab for Azure
Roles table
| Item |
Description |
| Search |
Filters the roles based on the entered keywords. |
| Refresh |
Refreshes the table to update the roles. |
| + Add |
Adds a temporary role. This button is only available if your account integration mode is Read and Write. More information in How to connect an Azure tenant. |
| Name |
Name of the role assigned to the user. |
| Direct assignment |
Displays if the role was assigned directly to the user. |
| Type |
Displays the type of role assigned to the user. The types are: Directory Role and Azure Role Assignments. |
| Expiration date |
Expiration date of the role. |
| Remove |
Removes a role. More information in How to remove Azure roles. |
Subscription resources table
| Item |
Description |
| Search |
Filters the subscription resources based on the entered keywords. |
| Subscription |
Subscription resource identifier. |
| Resource |
Resource name. |
| Type |
Resource type. |
| Roles |
Role attached to the user allowing access to the subscription resource. |
| Actions |
Actions to be taken on the resource. |
Members table
This section only appears if the identity is a group.
| Item |
Description |
| Search |
Filters the members based on the entered keywords. |
| Members |
Group members. |
| Type |
Type of the members. |
Secrets table
This section only appears if the identity is an application.
| Item |
Description |
| Search |
Filters the secrets based on the entered keywords. |
| Refresh |
Refreshes the table to update the secrets. |
| + Add |
Adds a secret. This button is only available if your account integration mode is Read and Write. More information in How to add secrets to Azure applications. |
| Secret ID |
Application secret ID. |
| Name |
Application name. |
| Expires at |
Application expiration date. |
| Remove |
Removes a secret. More information in How to remove Azure secrets. |
Findings tab for Google Cloud Provider
Roles table
| Item |
Description |
| Search |
Filters the roles based on the entered keywords. |
| Refresh |
Refreshes the table to update the roles. |
| + Add |
Adds a role. This button is only available if your account integration mode is Read and Write. More information in How to set temporary roles for Google Cloud Provider identities. |
| Roles |
Role assigned to the identity. |
| Type |
Type of the role assigned to the identity. The options are: Basic role, Predefined role and Custom role. |
| Remove |
Removes a role. More information in How to remove GCP roles. |
Services table
| Item |
Description |
| Search |
Filters the services based on the entered keywords. |
| Filter list |
Filters the services based on their last use date. |
| Service |
Service assigned to the identity. |
| Date |
Date when the service was used. |
Access key table
This section is only visible if the identity is a service account.
| Item |
Description |
| Search |
Filters the access keys based on the entered keywords. |
| Refresh |
Refreshes the table to update the access keys. |
| + Add |
Adds an access key. More information in How to add access keys to GCP service accounts. |
| Key ID |
ID of the key. |
| Key creation date |
Creation date of the key. |
| Key expiration date |
Expiration date of the key. |
| Remove |
Removes an access key. More information in How to remove GCP access keys. |
Findings tab for Oracle Cloud
Statement table
| Item |
Description |
| Search |
Filters the statements based on the entered keywords. |
| Effect |
Displays if the policy allows or denies the access. |
| Subject |
The subject of the policy that specifies groups or principals that the policy grants permission to. |
| Verb |
The type of access. The options are: inspect, read, use, and manage. |
| Resource type |
The type or resource to which the policy applies. |
| Location |
The policies' scope of access to a compartment or tenancy. |
| Condition |
Conditions that return resources based on specified parameters. |
API keys table
This section is only visible if the identity is a user.
| Item |
Description |
| Search |
Filters the API keys based on the entered keywords. |
| Fingerprint |
API keys fingerprint. |
| Created date |
API keys creation date. |
Groups table
| Item |
Description |
| OIDC |
Group Oracle Cloud ID. |
| Member |
Group members. |
Access path tab
The Access path provides users with a comprehensive view of the relationships between identities and the services they interact with. In essence, it provides a visual representation of how an identity is connected to specific services and permissions, making it easier to identify potential security vulnerabilities or unauthorized accesses.
| Item |
Description |
| Filter |
Filters elements on the map. When a term matches the inserted pattern, the elements are visually highlighted. |
| Settings |
Expands the map configuration options. |
| Layouts |
Selects the map model. The options are: Radial out 2D, Force directed 2D and Force directed 3D. |
| Zoom in |
Zoom in on the map. |
| Zoom out |
Zoom out on the map. |
| Reset camera |
Resets the zoom to the initial state. It doesn’t change the chosen layout. |
| Expand |
Icon to expand the tab. |
| Caption |
Indicates the captions for the icons. |
| Date |
Indicates what services were accessed between a specific period of time by setting colors to the arrows. |
Create new user panel
This panel varies according to the provider of the identity you want to add. See the following tables for each provider:
Basics tab for Azure users
| Item |
Type |
Required |
Description |
| Azure account |
Dropdown menu |
No |
Azure account. An Azure account must be registered on Cloud Entitlements. More information in How to connect an Azure tenant. This field is only available if you choose to add an Azure account in the Add button. |
| User principal name * |
Text field |
Yes |
Name for the user. |
| Domain |
Dropdown menu |
No |
Domain for the Azure account. |
| Mail nickname * |
Text field |
Yes |
Nickname for the email. You can use the User principal name * field value as the email nickname. |
| Derive from user principal name |
Checkbox |
No |
Use the User principal name * field value as the email nickname. |
| Display name * |
Text field |
Yes |
Display name for the user. |
| Password * |
Text field |
Yes |
Password for the user. |
Basics tab for AWS users
| Item |
Type |
Required |
Description |
| User principal name * |
Text field |
Yes |
Name for the user. |
| Console enabled |
Toggle button |
No |
Toggle to enable AWS console. |
| Password * |
Text field |
Yes |
Password for the user. This field is only available if you toggle the Console enabled option. |
Assignments tab
This tab is only available if you choose to add an Azure account in the Add button.
| Item |
Type |
Required |
Description |
| Subscription |
Dropdown menu |
No |
Select one Azure subscription. |
| Search |
Text field |
No |
Filters the assignment roles based on the entered keywords. |
| Assignments |
Table |
No |
Select one or more assignments. |
Policies tab
This tab is only available if you choose to add an AWS account in the Add button.
| Item |
Type |
Required |
Description |
| Account |
Dropdown menu |
No |
Select one AWS account. |
| Search |
Text field |
No |
Filters the policies based on the entered keywords. |
| Policies |
Table |
No |
Select one or more policies. |
Review + Create tab
Use the Review + Create tab to check all the information entered in the previous tabs and create your user.