Skip to content

Application Inventory

The SailPoint Accelerated Application Management (SAAM) Inventory provides a near realtime view of all discovered applications, user accounts, accounts and browser plugins in your environment.

SaaS Inventory

The SAAM SaaS Inventory provides a continuously updated view of all applications and user accounts discovered by SAAM across your organization. Information is aggregated from multiple discovery sources, including the SailPoint browser extension, and the IdP connector, to present a unified, cross-platform inventory of application usage across your organization.

This combined visibility helps administrators identify sanctioned and unsanctioned (shadow IT) applications, track authentication patterns, and monitor identity risk across all SaaS environments.

The SaaS Inventory also covers private or on-premises applications. Such applications are represented by their apex domain. You can configure one or more Custom Applications to replace or split the domain-based representation if multiple applications share the same root domain.

Viewing the SaaS Inventory

Select Inventory > SaaS from the left panel to view of all applications and user accounts discovered across your organization.

You can toggle between two primary modes using the Live toggle:

  • Default View - Displays consolidated inventory data refreshed automatically within approximately 24 hours. This view is optimized for reporting, querying, and visualizations such as charts, filters, and saved queries.
  • Live View - Displays real-time SaaS discovery data as discovered by active browser extensions/IdP API. Use this mode if you wish to see immediate updates, for example if you onboard a new application and want to make sure it is reflected in the SaaS Inventory, or when testing configuration changes such as defining custom applications.

By default, non-corporate assets, such as applications that users log in to with their consumer credentials are hidden from the SaaS Inventory. Some legitimate corporate assets may be accessed using unknown credentials (usernames without a domain suffix) or consumer / social login. To display all applications select the Suitcase icon.

The source column displays details of where the account data was discovered:

  • Browser Extension - The active sign-in activity was discovered from user browsers.
  • IdP Connector - SSO activity was observed for at least one account, or that the application was discovered using the IdP's installed applications API.

Select the Grid / Visualization toggle to switch between view types:

  • Grid View - The default tabular view displaying detailed application and account metrics.
  • Visualization Mode - Keeps the same underlying query but allows you to create visualization charts and visual summaries based on SaaS attributes, usage, or risk indicators.

Selecting an application opens the detail panel with detailed contextual information:

  • App description - A short overview of the application and its purpose.
  • Show more - Expands additional labels and metadata associated with the application including tags or compliance labels.
  • Sensitivity - Indicates the applications sensitivity level. By default, this is derived from out-of-the-box mappings based on the applications category. Administrators can override the sensitivity value manually if needed. This affects the overall risk score.
  • Risk levelAuthorization, and App owner - Provides quick visibility into the applications ownership and overall risk posture.

Sorting and Risk Calculation

By default, the SaaS Inventory is sorted by overall identity-breach risk for each application.

The risk score is calculated by combining two weighted factors:

  1. Exposure - Measures how easy it would be for a threat actor to gain access to an account in the application. Factors that increase exposure include a high number of compromised accounts, weak passwords, and lack of MFA enforcement.
  2. Sensitivity - Reflects the potential impact of a breach. The score is determined by the applications sensitivity classification, which defaults to OOTB mappings based on application labels. Administrators can override the classification sensitivity manually in the applications side panel.

The calculated Risk Level (Low, Medium, High, or Very High) determines the applications position in the inventory and how it appears in risk-based visualizations.

Users Inventory

The Users Inventory represents all the employee records that were discovered by the IdP connector, and includes details of the status of the user and when the user was last active. Select a user to view a list all discovered user accounts associated with this user.

Accounts Inventory

The Accounts Inventory represents all user accounts discovered by the browser extension and the IdP connector providing a granular view of each account, its associated application, login method, MFA status, and identity risk indicators.