Compare

Compare users and roles to identify access and attribute similarities, differences, and potential security risks in your organization.

Overview

The Access Intelligence > Compare feature enables side-by-side analysis of access and attributes between users or roles.

Often, environments will contain identical or very similar users, roles and other entities (such as dozens of AWS accounts with identically named roles like admin_terraform). When one of these is well-maintained, you can compare it with others and make adjustments to align with all the ideal example. Compare makes this easier.

In addition, comparison can help security teams identify access and attribute differences to support access governance initiatives in the following ways:

Identify excessive access by comparing users/roles with ideal user/role
Identify missing access by comparison
Identify key identifying attributes that helps one differentiate between two users/roles clearly
Identify incorrect attributes for users/roles by comparing with others

Compare supports two entity types for comparison, and different ways to examine entities:

Users - Compare two users of the same type
Roles - Compare two roles of the same type
Properties - Compare attributes and metadata such as creation dates, IDs, and configuration settings
Relationships - Compare access relationships, such as which resources an identity can access

Best Practices

Comparison is most useful after you have created baseline profiles (such as an engineering_profile Okta User or AWS IAM Role) with the appropriate level of access. You can then compare other users or roles to the baseline to see how properties and access vary from the established norm.

To effectively leverage the Compare feature in your security program, organizations should:

Establish standardized baseline profiles for each job function and role type
Conduct regular, scheduled audits comparing production users and roles against baselines
Document intentional deviations when discovered and approved

User Comparison

User comparison provides insights for teams managing user access across systems. You can use it to verify the effectiveness of role-based access control by comparing users with similar roles:

Validate onboarding by comparing new users against established templates
Detect privilege creep where users have accumulated excessive permissions
Support offboarding processes by comparing departing employees with their replacements

Role Comparison

Role comparison can enable standardization for similar roles, and reduce security gaps and confusion in environments with many roles:

Identify and consolidate redundant roles for reduced complexity
Identify drift when similar roles have gained or lost permissions over time
Validate role designs by confirming roles have the appropriate access for their intended function (neither too permissive nor too restrictive)
Focus specifically on role differences rather than reviewing all permissions from scratch

Using the Compare Feature

From the main Veza navigation, go to the Access Intelligence > Compare section
Select either the User Comparison or Role Comparison tab
Configure the comparison:
- Select the Type (e.g., AWS IAM Role, Okta User, Azure AD User)
- Select Entity 1 (typically your baseline entity)
- Select Entity 2 (the entity you want to compare)
- Choose the Type of Comparison
  - Property - Compare the properties of the two entities (such as creation date, ID fields, etc.)
  - Relationship - Compare the relationships between entities (such as access to resources)
- For Relationship comparison, use the Relates To filter to choose a related entity type (e.g., S3 Bucket).
Click Run to generate the comparison

The result output changes based on the comparison type:

Property Comparison

Property comparison shows differences in the attributes of two users or roles. The table of results includes information about:

Access Matching - Whether the property values match between the two entities
- "Complete Match" - The property value is identical for both entities
- "No Match" - The property values differ between entities
Both Have Property - Shows values common to both entities
User/Role 1 Only - Shows values specific to the first entity
User/Role 2 Only - Shows values unique to the second entity

Relationship Comparison

Relationship comparison shows the access relationships between entities. When comparing roles, you can see the resources to which each role has an access-granting relationship. When comparing users, you can review the resources that two users can access.

For relationship comparison, the results display:

Visual indicators (checkmarks and X marks) showing which entities have access
Matching status (Complete Match, No Match), indicating whether access is the same or different
Filtering options to focus on specific resources or access patterns

PreviousAnalyze NextRules and Alerts

Last updated 22 days ago

Was this helpful?