Instacart's JIT access playbook

Get quick insight into access data

Use ConductorOne's dashboards and pre-built access queries to quickly zoom in on important access information relevant to your organization's security.

Access explorer queries

To query your access data, navigate to Admin > Explore > Search.

On the Access explorer page you’ll find pre-built queries to help you explore and understand your organization’s access data so you can mitigate potential security risks. Here’s an overview of the available queries and the ways you can filter them to zoom in on the data that matters most to you.

Query titleWhat the query showsAvailable filters
Access profile membershipsAll users’ access profile assignments.By access profile
By user
All accountsAll accounts for all applications.By app
By user
Inactive accountsAccounts that have not been logged into within the timeframe you select.By app (required)
Accounts without an account ownerAll accounts for all applications with no account owner set.By app
High-risk accountsAccounts granted at least one entitlement designated high risk.None
Orphaned accountsAll accounts for all applications with either no account owner or a deactivated user set as the account owner.By app
Past grantsAll accounts with access grants that have expired or been removed, with grant and removal dates.By app
By entitlement
Apps with a deactivated ownerApplications with a designated application owner whose account is deactivated.By app
Apps with one ownerApplications that have a single designated application owner.By app
Entitlements with a deactivated ownerEntitlements with a designated entitlement owner whose account is deactivated.None
Entitlements with one ownerEntitlements that have a single designated entitlement owner.None
All resourcesAll resources for all applications.By app
By resource type
By risk level
Resources with a deactivated ownerResources with a designated resource owner whose account is deactivated.None
High-risk role grants (permanent)All users granted a role designated high risk with no expiration on the grant.None
High-risk role grants (temporary)All users granted a role designated high risk with a time limit on the grant.None
Standing privilegesUsers with access grants that have no time limit.By app
Users without a managerUsers with no manager user attribute set.None
Users with an unspecified employment statusUsers with no employment status user attribute set.None

Security dashboard

To help you quickly and easily track high-risk and sensitive access, the results of select access explorer queries are also summarized on the Security dashboard. Click a dashboard card to be directed to the query results page where you can view the data in more detail, filter the results (when filters are available), and create and download reports.

To access the security dashboard, navigate to Admin > Dashboard and click the Security tab.

The security dashboard shows quick summaries of the following categories:

  • Orphaned accounts - All accounts for all applications with either no account owner or a deactivated user set as the account owner.

  • High-risk accounts - Accounts granted at least one entitlement designated high risk.

  • Inactive accounts (past 30 days) - Accounts with no activity for the past month.

  • High-risk role grants (permanent) - All users granted a role designated high risk with no expiration on the grant.

  • Standing privileges - Users with access grants that have no time limit.

  • High-risk role grants (temporary) - All users granted a role designated high risk with a time limit on the grant.