# User Statuses

### Overview

User Statuses are broken down into two categories: the [Identity Provider (IdP) Status](#idp-status) and an [Identity Intelligence Status](#identity-intelligence-status). Read on to learn the differences between the two statuses, how each status is compiled and what the definition of each status is. 

### Identity Provider (IdP) Status

The Identity Provider (IdP) Status is a status that is gathered directly from what is configured on the data source for a particular user. \
\
You can see the respective IdP Status for each data source associated with a user in the right top corner of each source card on the User 360 [Overview](https://docs.oort.io/understanding-your-users/user-360/overview-tab) tab. 

<figure><img src="https://582105988-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqPSBzsjxd7KYg9DNVZ4l%2Fuploads%2FFaNv41BYDSsJxB6IDw8F%2Fimage.png?alt=media&#x26;token=83072e31-49c5-495b-bf17-4bfa7fa3f2b3" alt="" width="375"><figcaption></figcaption></figure>

### Statuses and definitions

To learn what statuses are possible and what each IdP status means, please refer to the data source's documentation on user statuses. Examples: [Okta](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-end-user-states.htm), [Duo](https://help.duo.com/s/article/6965?language=en_US)

## Identity Intelligence Status

The Identity Intelligence status is a status that combines all of the user's [IdP status](#identity-provider-idp-status)[es](#identity-provider-idp-status) with observability information based on a user's activity. If you have an HRIS system configured, then it will also include the user's employment status from the HRIS system.&#x20;

A high level Identity Intelligence status can be seen in the Status column on the [Users](https://docs.oort.io/understanding-your-users/users) page

<figure><img src="https://582105988-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqPSBzsjxd7KYg9DNVZ4l%2Fuploads%2F0Fh9gNluXHObzUNxXfoL%2Fimage.png?alt=media&#x26;token=9ed72757-42d2-4831-938c-2148c3d91220" alt=""><figcaption></figcaption></figure>

Additionally, the high level Identity Intelligence status tag can be seen next to the User's name and email on every tab across the User 360.&#x20;

A more detailed, compiled Identity Intelligence status can be seen on the User 360 [Overview](#overview) Tab, in the Summary widget, which is directly beneath the User's name and email. This compiled status combines the user types, taken directly from the IdP (ie: internal, external, service accounts, etc), and the Identity Intelligence status. If there is no user type in the IdP for that user, it will be marked as 'Missing'.&#x20;

You can filter on `Compiled Status` as a basic filter on the [Users](https://docs.oort.io/understanding-your-users/users) page and/or add the field to the table as an additional column.

<figure><img src="https://582105988-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqPSBzsjxd7KYg9DNVZ4l%2Fuploads%2F2iyyXUSxs4yfLYqk2xAU%2Fimage.png?alt=media&#x26;token=794ad4d7-5357-4242-98c6-0d67d8351021" alt=""><figcaption></figcaption></figure>

### Statuses and definitions&#x20;

If there is **no HRIS data integration available** for your tenant or a user, the detailed status is the user type taken from the IdP + high level Identity Intelligence status (ex: Internal, Active or External, Inactive).&#x20;

Below are the statuses and definitions if **you do not have an HRIS data integration configured**:&#x20;

<table><thead><tr><th width="228.5703125">Identity Intelligence Status</th><th width="162.25">Compiled Status</th><th>Definition</th></tr></thead><tbody><tr><td>Active</td><td>Active</td><td>User is authorized in the IdP and has had activity in an IdP in the last 30 days </td></tr><tr><td>Inactive</td><td>Inactive</td><td>User is authorized in the IdP, but has <em><strong>not</strong></em> had activity in an IdP in the last 30 days </td></tr><tr><td>Deprovisioned</td><td>Deprovisioned</td><td>User is unauthorized in the IdP and has not had activity in an IdP in the last 30 days</td></tr><tr><td><mark style="color:red;">Inconsistent</mark> </td><td>Unauthorized</td><td><a href="#inconsistent-users"><em>See below</em></a></td></tr></tbody></table>

If a **HRIS data integration is available**, the detailed status is the user type taken from the IdP+ the compiled status listed below (ie: Internal, Active Employee or Service Account, Non-employee). <br>

Below are the statuses and definitions if you **have an HRIS data integration configured**:&#x20;

<table><thead><tr><th width="251">Identity Intelligence Status</th><th width="155">Compiled status</th><th>Definition</th></tr></thead><tbody><tr><td>Active</td><td>Active Employee</td><td>User's HRIS employment account exists and is authorized. User is authorized in the IdP and has had activity in an IdP in the last 30 days  </td></tr><tr><td>Active</td><td>Non-employee</td><td>User's HRIS Employment account does not exist and is unauthorized. User is authorized in the IdP and has had activity in an IdP in the last 30 days  </td></tr><tr><td>Inactive</td><td>Inactive Employee</td><td>User's HRIS Employment account exists and is authorized. User is authorized in the IdP, but has <strong>not</strong> had activity in an IdP in the last 30 days </td></tr><tr><td>Inactive</td><td>Non-employee</td><td>User's HRIS Employment account does not exist and is unauthorized. User is authorized in an IdP, but has <em><strong>not</strong></em> had activity in an IdP in the last 30 days  </td></tr><tr><td>Deprovisioned</td><td>Deprovisioned </td><td>User's HRIS Employment account exists, and the HRIS account and an IdP account are both unauthorized with no noted activity on an IdP <br><br><em>or</em><br><br>User's HRIS Employment account does not exist, and the HRIS account and the IdP account are both unauthorized with no noted activity on an IdP </td></tr><tr><td><mark style="color:red;">Inconsistent</mark></td><td>Non-employee</td><td>User's HRIS employment account does not exist, the user is unauthorized in both the HRIS and in an IdP, but there was activity noted on a data source after the user's IdP status changed</td></tr><tr><td><mark style="color:red;">Inconsistent</mark> </td><td>Unauthorized Employee</td><td><a href="#inconsistent-users"><em>See below</em></a></td></tr></tbody></table>

### Inconsistent Users&#x20;

Users will be marked as inconsistent if we noticed account status discrepancies that could pose significant security threats to your environment. Inconsistent Users can also highlight discrepancies that arose during user onboarding or offboarding. It is important to review Inconsistent Users regularly, because these users may still have access to internal systems that they are no longer supposed to have access to. \
\
Users can be flagged as inconsistent for a variety of reasons. Below is a table visualization that maps what factors lead to each possible status, the compiled status, and inconsistency severity, if applicable.&#x20;

**If there is no HRIS data**, a user will be marked as `Inconsistent` if:

<figure><img src="https://582105988-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqPSBzsjxd7KYg9DNVZ4l%2Fuploads%2FL1SaBtysnX15SEpPrphb%2Fimage.png?alt=media&#x26;token=afc79a70-31ee-4618-b19a-2073f69aab58" alt=""><figcaption></figcaption></figure>

* User is authorized in a non-IdP data source, but does **not** have an IdP account associated
  * Example: User only has a Github account but no associated account in Okta, Azure, or G-Suite
* User is unauthorized in the IdP, but has had activity in the IdP in the last 30 days
* User is authorized in the IdP, but has had no activity in the IdP in the last 30 days and their user type from the IdP is listed as an External account or a Service Account&#x20;

**If there is** **HRIS data,** in addition to the reasons above, a user will be marked as `Inconsistent` if:

<figure><img src="https://582105988-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqPSBzsjxd7KYg9DNVZ4l%2Fuploads%2FwNohSzAPpqNJuvjrsYiA%2FStuff%20and%20Thingz%20(2).jpg?alt=media&#x26;token=7436a423-8049-4464-abd8-4d382370b5c2" alt="" width="563"><figcaption></figcaption></figure>

* User's HRIS account exists and is authorized, but the user is unauthorized in an IdP and there was activity noted on a data source after the user's IdP status changed
* User's HRIS account exists and is authorized, but the user is unauthorized in an IdP
  * Note: If it is a newly created user account, the account will not flag as inconsistent, unless the user remains unauthorized in an IdP after 7 days
* User's HRIS account exists but is not authorized, and the user is authorized in an IdP and ***has*** had activity in an IdP in the last 30 days
* User's HRIS account exists but is not authorized, and the user is authorized in an IdP but **has&#x20;*****not*** had activity in an IdP in the last 30 days
* User's HRIS account exists, the user is unauthorized in both the HRIS and an IdP, *but* there was activity noted on a data source after the user's IdP status changed
* User's HRIS account does not exist, the user is unauthorized in both the HRIS and an IdP, *but* there was activity noted on a data source after the user's IdP status changed
* User's HRIS account exists, the user is authorized in both the HRIS and an IdP, *but* the user type from the IdP is listed as an external account or a service account&#x20;
  * Note: this is regardless of user's activity. The user may or may not have had activity in an IdP in the last 30 days.
* User's HRIS account does not exist and is not authorized, but the user is authorized in an IdP and the user type from the IdP is listed as Employee or Contingent/Contractor
  * Note: this is regardless of user's activity. The user may or may not have had activity in an IdP in the last 30 days