# Users ### Overview The Users page provides high level information on all the user identities in your environment, along with several filters and sortable columns, so that you can better understand, analyze and share user population data based on a variety of useful parameters. By default, the table on the Users page is sorted by User Name, and excludes user accounts that have been deleted, deprovisioned, or disabled.

This section covers: * [Definitions of the elements in the table](#user-list-elements) * [Users page actions](#users-tab-general-actions) such as searching, exporting results, etc * [Basic Filters](#apply-basic-filters) and [Advanced Query Mode](https://docs.oort.io/understanding-your-users/users/advanced-query-mode) * [Pivoting on IP address](#pivot-on-ip-address) ### Users table elements The section below details the fields that appear in the table by default, as well as the definition of each field:

Element	Description
User	The user's display name and their corresponding email or username
Trust Level	The user's current Trust Level
Checks	The total number of checks a user is failing. A 🚫 icon in this column indicates that the corresponding user is not part of the protected population and checks are not being evaluated against this user
# IPs	The total number of IP addresses associated with a user's activity across all providers
# Logins	The total number of attempted logins across all providers, regardless of result (success, failure, challenge, other)
Last Seen (UTC)	The date and time of the last login attempt, regardless of outcome, for a user across all providers
Last IP Address	The IP address associated with the last successful or failed login attempt for a user across all providers Read more below about how to pivot on the last IP address
Last Location	The location associated with the last successful or failed login attempt for a user across all providers
MFA	= MFA configured = MFA not configured
Providers	The logo icon(s) for the corresponding identity data sources where a user's account has been associated Hovering over a source will show you the integration name and user's status as gathered from the identity data source
Status	The user's Identity Intelligence Status and Lifecycle Event tag, if applicable. Lifecycle events highlight recent, notable events that have occurred on a user's account that can be beneficial to know about during an investigation. Lifecycle event badges are displayed for 7 days after the event is noted Status - Active (green badge): This account is enabled in an identity data source and has successfully logged in over the last X days. The number of days is consistent with the value set on the Inactive Users and Inactive Guest Users checks (default setting is 30 days) - Inactive (Grey badge): This account is enabled in an identity data source, but has not successfully logged in over the last X days. The number of days is consistent with the value set on the Inactive Users and Inactive Guest Users checks. (default setting is 30 days) - Deprovisioned (Grey badge): This account is no longer enabled in an identity data source and cannot be signed into - Inconsistent (red badge): This account has been flagged because there are account status discrepancies that may pose a significant security threat. See Inconsistent Users to learn about what factors contribute to a user being marked as inconsistent Lifecycle Events (yellow badge) - New Account: indicates that this account was recently created. Includes the date the account was created Significant Change: indicates that an uncommon, but important, activity has recently happened on this account (for ex: MFA factor added, admin privileges granted, sensitive app assigned, etc). You can query for specific Significant change events using Advanced Query mode
Compiled Status	Compiled status combines provider user types (ie: internal, external, service accounts, etc) and the user's Identity Intelligence Status

Additional columns can be added to the table view using the **Columns** button:

Element	Description
Created Date (UTC)	The date a user's account was created. Uses the first creation date available across all configured providers
Employee ID	The employee ID, gathered from the provider if available
Manager Login	The user's manager's email address, gathered from the provider if available
Title	The user's job title, gathered from the provider(s) if available
Department	The department a user belongs to, gathered from the provider(s) if available
Registered Location	The location a user is supposed to be working from based on hiring agreements, if available from the HRIS or the IdP. If the user has multiple registered locations that differ, the HRIS data always takes precedence. If HR information is not available for a user, then the data comes from the IdP
Inconsistency Severity	The severity of the inconsistency noted for a user with Inconsistent status
User Type	The Identity Intelligence user type assigned based on compiled identity data source user types

### Users page general actions There are several general actions that can be performed on the Users page: * Search * Sort, add or remove columns * Download results * Share results * Refresh Navigate through the tabs below to read more about how to utilize each action. {% tabs %} {% tab title="Search" %} #### **Search** Use the search bar to search based on users, names, group, applications and IPs. When searching, you do not need to provide an exact value. Typing a piece of the word will return results. If you have searched on a particular parameter, the search criteria is retained as you navigate between different tabs within the platform. To clear the search bar, select the **X** on the right most side of the search bar, next to the **Advanced** button. {% endtab %} {% tab title="Sort Columns" %} **Sort Columns** Sort columns within the table by selecting the column header you'd like to sort by. Select once to sort in ascending order, select again to sort in descending order. Multi-column sorting is **not** currently supported. {% endtab %} {% tab title="Add/remove columns" %} #### **Add or remove columns** Columns can be added or removed from the table using the **Columns** button in the top right of the table, above the column headers. Select this button to choose the columns you'd like to display in the UI. \ To return to the default settings, select **Restore Default** at the bottom of the list when you open the **Columns** button.

The Download feature (next tab) respects the visible columns. {% endtab %} {% tab title="Download results" %} **Download results** You can download tabular data from the table to a CSV using the **Download** icon button on the right after the search bar. All columns displayed and filters applied are included in the CSV output. If there are no results in the table, the CSV export will contain only headers and no user data\ \ Note: The CSV download has a limit of 2,000 rows. If you need to download more than 2,000 rows, select the download button and follow the prompts to get the export sent via a download link.

{% endtab %} {% tab title="Share URL" %} **Share URL** The **Share** button (on the right side of the Search bar) copies a link to this page, with the applied filters and selected columns, that can be easily pasted, bookmarked or shared with anyone who has the appropriate access to your Identity Intelligence tenant

{% endtab %} {% tab title="Refresh" %} **Refresh** Use the **Refresh** button on the right side of the search bar to refresh user data and filter counts in the table after making changes (ex: linking users, excluding a user from a check).

{% endtab %} {% endtabs %} ### Filters The Users table is filterable by a number of attributes, enabling you to slice and dice your user population based on the parameters that are important to you. There are two types of filters that can be used on the Users table - [basic filters](#applying-basic-filters), which can be found to the left of the Users table and [Advanced Query mode](https://docs.oort.io/understanding-your-users/users/advanced-query-mode), which can be enabled via the search bar above the users table. Check out our documentation on to [how to use Advanced Query Mode](https://docs.oort.io/understanding-your-users/advanced-query-mode#entering-advanced-mode-and-adding-filters) to learn more. Filtered results derived from both basic filters, as well as advanced queries, can be saved to access later or share with teammates. To learn more about how to save filters, see [Saved Filters](https://docs.oort.io/understanding-your-users/users/saved-filters) to learn more. #### Applying basic filters You can see all the available basic filters on the left hand side of the Users page. To enable a filter, select the check box for the attribute you would like to filter by. The applied filters will be added to the search bar, as seen in the screenshot below. The number of users that you are currently viewing, based on the filters and searches used, will appear in the top left corner of the Users table above the column headers. To remove a filter, you can either deselect the attribute from the filters list on left hand side of the Users table, or select the **X** on the right hand side of the filter box that is in the search bar. To remove all filters besides the default filter, select the **X** located next to the **Advanced** Filter button in the search bar. After you have selected your filters, the filters are retained as you navigate between different areas within the platform.

{% hint style="info" %} By default, the Users Table excludes user accounts that have been deleted, deprovisioned, or disabled. To include these accounts in the results, select the **X** on the right side of the 'NOT Status' filter box in the search bar. {% endhint %} Distinct filters are separated by an **AND** operator. For example, if you select the `Duo` value from the `Sources` filter and the `No` value for `MFA Configured` filter, the table will display all users in `Duo` who have `No MFA Configured`. For most filters, you can select more than one value to filter by. Within a given filter, selecting more than one value will separate the values with an **OR** operator by default. For example, if you select the values `Okta` and `Duo` for the `Sources` filter, users with accounts in **either** `Okta` **OR** `Duo` will be displayed. However, within a given filter, if you would like to filter for users with accounts in both `Okta` **AND** `Duo`, you can select the **OR** operator found in the filter box in the search bar or in the left hand filter menu (screenshots below), to switch it to **AND**. Doing this will allow you to see users that are in both `Okta` **AND** `Duo`. Filters that use radio buttons cannot have more than one value selected at once (for ex: `Is Admin`)

Specific values can also be excluded from the results for most filters, except for those that cannot have more than one value selected at once. To exclude a value from filtered results (ie: `NOT`), you can select the 🚫 icon in either the filter box in the search bar or the left hand filter menu.

Similarly, you can 'include all' filter values in the results, except for filters that cannot have more than one value selected at once. To select all values within a given filter, select `All` next to the filter value title.

### **Pivot on IP address** The IP address in the table has a few actions associated with it that can be useful to learn more about an IP address and the associated activity. The actions menu will pop up when left-clicking on a specific IP address in a user row. The actions are: * **Find user activity -** Takes you to the [Activity](https://docs.oort.io/understanding-your-users/user-360/activity-tab) tab of the User 360 for the respective user, with the selected IP address added as a filter, so you can see all the user's activity associated with this particular IP address * **Find users who attempted to sign in from X.X.X.X -** Adds the selected IP address as a search parameter on the [Users](https://docs.oort.io/understanding-your-users/users) page so you can see any other users who have activity associated with this particular IP address * **See IP info -** Takes you to the [Networks](https://docs.oort.io/how-to-guides/networks-tab-and-user-investigations) tab of the User 360 for the respective user, with the selected IP address added as a filter, and opens the slide panel so you can see more detailed information about that IP address for this user * **Copy to clipboard -** Copies the IP address to your clipboard so that you can paste it within Identity Intelligence or another tool