> For the complete documentation index, see [llms.txt](https://docs.oort.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.oort.io/understanding-check-failures/oort-insights/identity-posture-management-insights/user-has-directly-assigned-application.md). # Applications with Directly Assigned Users Detects applications that violate security best practices by having access directly assigned to individual users instead of being managed through group assignments. Direct app entitlements cause various security and operational issues for organizations. It can lead to inconsistent permissions or "permission drift", where access levels vary across users with similar jobs or roles, creating security gaps. Operational challenges can also arise as both manual and automated onboarding, offboarding and cross-boarding processes are more prone to errors when there are direct app assignments, as they can be easily overlooked or forgotten, or cause breakdowns with automated workflows. This practice can also create compliance issues, as fragmented visibility makes it difficult to identify which users have what level of access to each app, making it harder and more time consuming to maintain audit trails and regularly conduct required access reviews with accurate results. **Recommended Actions** Review each flagged application and its directly assigned users to assess current access patterns. Evaluate whether appropriate groups already exist for these users based on their role or department. If suitable groups are already assigned to the given app, add each impacted user to the relevant group. If no appropriate groups exist, create new groups organized by job function, department, access requirements, etc, add the relevant user(s) to the group and assign the group(s) to the app. When migrating access, add users to appropriate security groups first, then remove direct user assignments only after confirming group-based access is working to prevent access interruption. Consider removing access entirely for dormant accounts or users who haven't recently used the app. If many apps are failing this check, focus on addressing sensitive apps first by marking them as such using the toggle on the Applications page and then updating the check's detection settings to consider sensitive apps only. This approach will allow you to focus on resolving issues with your organization's most critical apps first, before addressing issues with other apps. \ **Custom Detection Settings and Default Settings** Check only sensitive apps: false Ignore List: * `active_directory` * `ldap_sun_one` \ **Compatibility** [Microsoft Entra ID](/integrations/azure-active-directory-integration.md) [Okta](/integrations/okta-data-integration.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.oort.io/understanding-check-failures/oort-insights/identity-posture-management-insights/user-has-directly-assigned-application.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.