Compare

Overview

The Access Intelligence > Compare feature enables side-by-side analysis of access and attributes between users or roles.

Often, environments will contain identical or very similar users, roles and other entities (such as dozens of AWS accounts with identically named roles like admin_terraform). When one of these is well-maintained, you can compare it with others and make adjustments to align with all the ideal example. Compare makes this easier.

In addition, comparison can help security teams identify access and attribute differences to support access governance initiatives in the following ways:

• Identify excessive access by comparing users/roles with ideal user/role

• Identify missing access by comparison

• Identify key identifying attributes that helps one differentiate between two users/roles clearly

• Identify incorrect attributes for users/roles by comparing with others

Compare supports two entity types for comparison, and different ways to examine entities:

1. Users - Compare two users of the same type

2. Roles - Compare two roles of the same type

3. Properties - Compare attributes and metadata such as creation dates, IDs, and configuration settings

4. Relationships - Compare access relationships, such as which resources an identity can access

Best Practices

Comparison is most useful after you have created baseline profiles (such as an engineering_profile Okta User or AWS IAM Role) with the appropriate level of access. You can then compare other users or roles to the baseline to see how properties and access vary from the established norm.

To effectively leverage the Compare feature in your security program, organizations should:

• Establish standardized baseline profiles for each job function and role type

• Conduct regular, scheduled audits comparing production users and roles against baselines

• Document intentional deviations when discovered and approved

User Comparison

User comparison provides insights for teams managing user access across systems. You can use it to verify the effectiveness of role-based access control by comparing users with similar roles:

• Validate onboarding by comparing new users against established templates

• Detect privilege creep where users have accumulated excessive permissions

• Support offboarding processes by comparing departing employees with their replacements

Role Comparison

Role comparison can enable standardization for similar roles, and reduce security gaps and confusion in environments with many roles:

• Identify and consolidate redundant roles for reduced complexity

• Identify drift when similar roles have gained or lost permissions over time

• Validate role designs by confirming roles have the appropriate access for their intended function (neither too permissive nor too restrictive)

• Focus specifically on role differences rather than reviewing all permissions from scratch

Using the Compare Feature

1. From the main Veza navigation, go to the Access Intelligence > Compare section

2. Select either the User Comparison or Role Comparison tab

3. Configure the comparison:

   • Select the Type (e.g., AWS IAM Role, Okta User, Azure AD User)

   • Select Entity 1 (typically your baseline entity)

   • Select Entity 2 (the entity you want to compare)

   • Choose the Type of Comparison

     • Property - Compare the properties of the two entities (such as creation date, ID fields, etc.)

     • Relationship - Compare the relationships between entities (such as access to resources)

   • For Relationship comparison, use the Relates To filter to choose a related entity type (e.g., S3 Bucket).

4. Click Run to generate the comparison

The result output changes based on the comparison type:

Property Comparison

Property comparison shows differences in the attributes of two users or roles. The table of results includes information about:

• Access Matching - Whether the property values match between the two entities

  • "Complete Match" - The property value is identical for both entities

  • "No Match" - The property values differ between entities

• Both Have Property - Shows values common to both entities

• User/Role 1 Only - Shows values specific to the first entity

• User/Role 2 Only - Shows values unique to the second entity

Relationship Comparison

Relationship comparison shows the access relationships between entities. When comparing roles, you can see the resources to which each role has an access-granting relationship. When comparing users, you can review the resources that two users can access.

For relationship comparison, the results display:

• Visual indicators (checkmarks and X marks) showing which entities have access

• Matching status (Complete Match, No Match), indicating whether access is the same or different

• Filtering options to focus on specific resources or access patterns