# Compare ## Overview The **Access Intelligence** > **Compare** feature enables side-by-side analysis of access and attributes between users or roles. Often, environments will contain identical or very similar users, roles and other entities (such as dozens of AWS accounts with identically named roles like `admin_terraform`). When one of these is well-maintained, you can compare it with others and make adjustments to align with all the ideal example. **Compare** makes this easier. In addition, comparison can help security teams identify access and attribute differences to support access governance initiatives in the following ways: * Identify excessive access by comparing users/roles with ideal user/role * Identify missing access by comparison * Identify key identifying attributes that helps one differentiate between two users/roles clearly * Identify incorrect attributes for users/roles by comparing with others **Compare** supports two entity types for comparison, and different ways to examine entities: 1. **Users** - Compare two users of the same type 2. **Roles** - Compare two roles of the same type 3. **Properties** - Compare attributes and metadata such as creation dates, IDs, and configuration settings 4. **Relationships** - Compare access relationships, such as which resources an identity can access ### Best Practices Comparison is most useful after you have created baseline profiles (such as an `engineering_profile` Okta User or AWS IAM Role) with the appropriate level of access. You can then compare other users or roles to the baseline to see how properties and access vary from the established norm. To effectively leverage the Compare feature in your security program, organizations should: * Establish standardized baseline profiles for each job function and role type * Conduct regular, scheduled audits comparing production users and roles against baselines * Document intentional deviations when discovered and approved ### User Comparison User comparison provides insights for teams managing user access across systems. You can use it to verify the effectiveness of role-based access control by comparing users with similar roles: * Validate onboarding by comparing new users against established templates * Detect privilege creep where users have accumulated excessive permissions * Support offboarding processes by comparing departing employees with their replacements ## Role Comparison Role comparison can enable standardization for similar roles, and reduce security gaps and confusion in environments with many roles: * Identify and consolidate redundant roles for reduced complexity * Identify drift when similar roles have gained or lost permissions over time * Validate role designs by confirming roles have the appropriate access for their intended function (neither too permissive nor too restrictive) * Focus specifically on role differences rather than reviewing all permissions from scratch ### Using the Compare Feature 1. Open **Access Intelligence** > **Compare** (in the Products section of the navigation sidebar) 2. Select either the **User Comparison** or **Role Comparison** tab 3. Configure the comparison: * Select the **Type** (e.g., AWS IAM Role, Okta User, Azure AD User) * Select **Entity 1** (typically your baseline entity) * Select **Entity 2** (the entity you want to compare) * Choose the **Type of Comparison** * **Property** - Compare the properties of the two entities (such as creation date, ID fields, etc.) * **Relationship** - Compare the relationships between entities (such as access to resources) * For Relationship comparison, use the **Relates To** filter to choose a related entity type (e.g., S3 Bucket). 4. Click **Run** to generate the comparison The result output changes based on the comparison type: #### Property Comparison Property comparison shows differences in the attributes of two users or roles. The table of results includes information about: * **Access Matching** - Whether the property values match between the two entities * "Complete Match" - The property value is identical for both entities * "No Match" - The property values differ between entities * **Both Have Property** - Shows values common to both entities * **User/Role 1 Only** - Shows values specific to the first entity * **User/Role 2 Only** - Shows values unique to the second entity ![Property Comparison Example](/files/D4aXAP36sebjSp2iZ88Z) #### Relationship Comparison Relationship comparison shows the access relationships between entities. When comparing roles, you can see the resources to which each role has an access-granting relationship. When comparing users, you can review the resources that two users can access. For relationship comparison, the results display: * Visual indicators (checkmarks and X marks) showing which entities have access * Matching status (Complete Match, No Match), indicating whether access is the same or different * Filtering options to focus on specific resources or access patterns ![Relationship Comparison Example](/files/1dRmB0xznVswDMhhqoUn) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/compare.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.