Interpreting Identity Graph Data
The legend helps you understand and interpret the visual elements presented on the identity graph, helping you quickly gain context around the current state of a graph.
To display the legend, select the Legend button in the top right.
Access Objects
Colors and icons are used to distinguish between access object types, enabling quick identification.
- Identities - Human identities and AI agents. Â
- Access items - Entitlements, Access Profiles, and Roles.
Limited Availability
AI Agent Identities are only available to select customers. Visit SailPoint Product News for more information.
| Access Object | Description |
|---|---|
| Identity | Human identities and AI agents that have access. |
| Role | Represented by a green circle. Roles are the grouped sets of access assigned to an identity. |
| Access Profile | Represented by a pink circle. Access profiles are bundles of entitlements assigned to an identity. |
| Nested Entitlement | Represented by a grey circle. |
| Assigned Entitlement | Represented by a blue circle. |
Entitlement Hierarchy and Inheritance
The graph visualizes data available in Identity Security Cloud, pulling together an identity's access and displaying the relationships between access objects.
When viewing the graph in the top-down layout:
-
If you have opened the graph for an identity, the relationship between access objects is displayed from the identity down to the entitlement.
-
If you have opened the graph from an entitlement, moving from top to bottom in the entitlement hierarchy, it displays from the parent to a top-level entitlement and then down to a child entitlement. The entitlement hierarchy can have multiple layers, the highest level having no further parents and the lowest level having no further children.
Assigned Entitlement
Blue nodes represent assigned entitlements. These entitlements are directly associated with an identity or assigned via an access profile or role connected to the identity.
Note
Child entitlements of an assigned entitlement are not shown from an identity view, as the permissions of those child entitlements are not relevant to the assigned entitlement of the identity.
Nested Entitlement
Grey nodes represent nested entitlements. These entitlements are not directly assigned to the identity, but instead they are the upstream of an entitlement that is assigned to the identity. Nested entitlements may have multiple levels with parent and child entitlements.
Nested entitlements are displayed to show the inheritance path and the relationships between entitlements, showing what an entitlement can inherit from, and what entitlements can be inherited from it.
Note
The access object viewed in the graph, and its relationship to entitlements, determines whether the entitlement node is displayed as blue or grey.
Node Type
There are three node types, each indicated by a different sized node displayed in the graph.
| Node | Description |
|---|---|
| Root node | Largest of the nodes and centered on an identity graph. This node represents the access object that the graph displays. All edges extend from this node. |
| Intermediate node | Nodes that are aggregates of access and do not explicitly represent any access. You can expand an intermediate node to show the direct nodes. |
| Direct node | Smallest of the nodes representing explicit access that is assigned to a user. When you expand an intermediate node, direct nodes are displayed |
Outer Rings on a Node
Outer rings appear around an access object when an action is performed on that node.
| Outer Rings | Description |
|---|---|
| Object is locked | A purple ring is present around a node that is locked. After repositioning a node, you can lock it in place to prevent it from moving when you manipulate other nodes on the graph. You can lock multiple nodes in place and manipulate the surrounding unlocked nodes. This feature is useful in dynamic layout. |
| Object is selected | A white ring is present around a node when it has been selected. Select one or more access objects to highlight the node and perform actions. |
| Object is right-clicked | A blue ring is present around a node when right-clicked. Right-click an object to select an action to apply to the node. |
Ring Indicators
Red rings on nodes indicate the total amount of privileged entitlements that exist within this object, helping to convey the latent risk associated with the access object. Use this indicator to monitor and govern more closely.
An object with a high privilege percentage has access to sensitive resources, while an object with no privilege has no access to sensitive resources. Use the percentages to assess the level of risk associated with each access object.
Lines
Lines represent the connections and relationships between access objects.
| Line | Description |
|---|---|
| Path | A link between two nodes that represents an existing relationship. |
| Outlier | Entitlements assigned to less than 1% of the organization. To display this line, your organization must utilize the Identity Outliers feature in Identity Security Cloud. |
| Multiple Path | Access object with more than one access path, which can pose a security risk. |
| Recently Granted | Access granted within the last 30 days. Helping to identify new and potentially unauthorized access. |
| Privileged | Access path that leads to privileged entitlements. |
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.