# Applications with Directly Assigned Users Detects applications that violate security best practices by having access directly assigned to individual users instead of being managed through group assignments. Direct app entitlements cause various security and operational issues for organizations. It can lead to inconsistent permissions or "permission drift", where access levels vary across users with similar jobs or roles, creating security gaps. Operational challenges can also arise as both manual and automated onboarding, offboarding and cross-boarding processes are more prone to errors when there are direct app assignments, as they can be easily overlooked or forgotten, or cause breakdowns with automated workflows. This practice can also create compliance issues, as fragmented visibility makes it difficult to identify which users have what level of access to each app, making it harder and more time consuming to maintain audit trails and regularly conduct required access reviews with accurate results. **Recommended Actions** Review each flagged application and its directly assigned users to assess current access patterns. Evaluate whether appropriate groups already exist for these users based on their role or department. If suitable groups are already assigned to the given app, add each impacted user to the relevant group. If no appropriate groups exist, create new groups organized by job function, department, access requirements, etc, add the relevant user(s) to the group and assign the group(s) to the app. When migrating access, add users to appropriate security groups first, then remove direct user assignments only after confirming group-based access is working to prevent access interruption. Consider removing access entirely for dormant accounts or users who haven't recently used the app. If many apps are failing this check, focus on addressing sensitive apps first by marking them as such using the toggle on the Applications page and then updating the check's detection settings to consider sensitive apps only. This approach will allow you to focus on resolving issues with your organization's most critical apps first, before addressing issues with other apps. \ **Custom Detection Settings and Default Settings** Check only sensitive apps: false Ignore List: * `active_directory` * `ldap_sun_one` \ **Compatibility** [Microsoft Entra ID](/integrations/azure-active-directory-integration.md) [Okta](/integrations/okta-data-integration.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.oort.io/understanding-check-failures/oort-insights/identity-posture-management-insights/user-has-directly-assigned-application.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.