🤷User Statuses
Last updated
Last updated
User Statuses are broken down into two categories: the Identity Provider (IdP) Status and an Identity Intelligence Status. Read on to learn the differences between the two statuses, how each status is compiled and what the definition of each status is.
The Identity Provider (IdP) Status is a status that is gathered directly from what is configured on the data source for a particular user. You can see the respective IdP Status for each data source associated with a user in the right top corner of each source card on the User 360 Overview tab.
To learn what statuses are possible and what each IdP status means, please refer to the data source's documentation on user statuses. Examples: Okta, Duo
The Identity Intelligence status is a status that combines all of the user's IdP statuses with observability information based on a user's activity. If you have an HRIS system configured, then it will also include the user's employment status from the HRIS system.
A high level Identity Intelligence status can be seen in the Status column on the Users page
Additionally, the high level Identity Intelligence status tag can be seen next to the User's name and email on every tab across the User 360.
A more detailed, compiled Identity Intelligence status can be seen on the User 360 Overview Tab, in the Summary widget, which is directly beneath the User's name and email. This compiled status combines the user types, taken directly from the IdP (ie: internal, external, service accounts, etc), and the Identity Intelligence status. If there is no user type in the IdP for that user, it will be marked as 'Missing'.
You can filter on Compiled Status
as a basic filter on the Users page and/or add the field to the table as an additional column.
If there is no HRIS data integration available for your tenant or a user, the detailed status is the user type taken from the IdP + high level Identity Intelligence status (ex: Internal, Active or External, Inactive).
Below are the statuses and definitions if you do not have an HRIS data integration configured:
Active
User is authorized in the IdP and has had activity in an IdP in the last 30 days
Inactive
User is authorized in the IdP, but has not had activity in an IdP in the last 30 days
Deprovisioned
User is unauthorized in the IdP and has not had activity in an IdP in the last 30 days
Inconsistent
If a HRIS data integration is available, the detailed status is the user type taken from the IdP+ the compiled status listed below (ie: Internal, Active Employee or Service Account, Non-employee).
Below are the statuses and definitions if you have an HRIS data integration configured:
Active
Active Employee
User's HRIS employment account exists and is authorized. User is authorized in the IdP and has had activity in an IdP in the last 30 days
Active
Non-employee
User's HRIS Employment account does not exist and is unauthorized. User is authorized in the IdP and has had activity in an IdP in the last 30 days
Inactive
Inactive Employee
User's HRIS Employment account exists and is authorized. User is authorized in the IdP, but has not had activity in an IdP in the last 30 days
Inactive
Non-employee
User's HRIS Employment account does not exist and is unauthorized. User is authorized in an IdP, but has not had activity in an IdP in the last 30 days
Deprovisioned
Deprovisioned
User's HRIS Employment account exists, and the HRIS account and an IdP account are both unauthorized with no noted activity on an IdP or User's HRIS Employment account does not exist, and the HRIS account and the IdP account are both unauthorized with no noted activity on an IdP
Inconsistent
Non-employee
User's HRIS employment account does not exist, the user is unauthorized in both the HRIS and in an IdP, but there was activity noted on a data source after the user's IdP status changed
Inconsistent
Unauthorized Employee
Users will be marked as inconsistent if we noticed account status discrepancies that could pose significant security threats to your environment. Inconsistent Users can also highlight discrepancies that arose during user onboarding or offboarding. It is important to review Inconsistent Users regularly, because these users may still have access to internal systems that they are no longer supposed to have access to. Users can be flagged as inconsistent for a variety of reasons. Below is a table visualization that maps what factors lead to each possible status, the compiled status, and inconsistency severity, if applicable.
If there is no HRIS data, a user will be marked as Inconsistent
if:
User is authorized in a non-IdP data source, but does not have an IdP account associated
Example: User only has a Github account but no associated account in Okta, Azure, or G-Suite
User is unauthorized in the IdP, but has had activity in the IdP in the last 30 days
User is authorized in the IdP, but has had no activity in the IdP in the last 30 days and their user type from the IdP is listed as an External account or a Service Account
If there is HRIS data, in addition to the reasons above, a user will be marked as Inconsistent
if:
User's HRIS account exists and is authorized, but the user is unauthorized in an IdP and there was activity noted on a data source after the user's IdP status changed
User's HRIS account exists and is authorized, but the user is unauthorized in an IdP
Note: If it is a newly created user account, the account will not flag as inconsistent, unless the user remains unauthorized in an IdP after 7 days
User's HRIS account exists but is not authorized, and the user is authorized in an IdP and has had activity in an IdP in the last 30 days
User's HRIS account exists but is not authorized, and the user is authorized in an IdP but has not had activity in an IdP in the last 30 days
User's HRIS account exists, the user is unauthorized in both the HRIS and an IdP, but there was activity noted on a data source after the user's IdP status changed
User's HRIS account does not exist, the user is unauthorized in both the HRIS and an IdP, but there was activity noted on a data source after the user's IdP status changed
User's HRIS account exists, the user is authorized in both the HRIS and an IdP, but the user type from the IdP is listed as an external account or a service account
Note: this is regardless of user's activity. The user may or may not have had activity in an IdP in the last 30 days.
User's HRIS account does not exist and is not authorized, but the user is authorized in an IdP and the user type from the IdP is listed as Employee or Contingent/Contractor
Note: this is regardless of user's activity. The user may or may not have had activity in an IdP in the last 30 days