Application Management
The Applications page provides visibility into all applications discovered across your connected data sources. Monitor application security posture, track account distribution, assess risk levels, and manage application ownership from a centralized dashboard.
Overview
Applications in Hydden.Control represent the systems, services, and platforms where your organization's accounts exist. The Applications module helps you:
- Discover applications from connected data sources (Entra, Okta, Workday, etc.)
- Monitor security posture through risk scores and metrics
- Track account distribution across your application portfolio
- Identify security issues like stale accounts, MFA gaps, and privileged access
- Assign ownership for governance and accountability
Applications List
The Applications list displays all discovered applications with key information and filtering capabilities.
List Columns
| Column | Description |
|---|---|
| Application Name | Application display name with optional description |
| Platform | Data source platform (Entra, Okta, etc.) with logo |
| Accounts | Total count of associated accounts |
| Risk Score | Average risk score with color-coded badge |
| Owner | Assigned application owner |
| Created | Application creation date |
Risk Score Indicators
Applications are categorized by their average risk score:
| Category | Score Range | Indicator |
|---|---|---|
| High Risk | Greater than 70 | Red badge |
| Medium Risk | 41-70 | Yellow badge |
| Low Risk | 40 or below | Green badge |
View Modes
Toggle between two view modes:
| Mode | Description | Best For |
|---|---|---|
| Table View | Row-based list with columns | Detailed comparison, sorting |
| Grid View | Card-based responsive layout | Visual overview, quick scanning |
Click the view toggle buttons to switch between modes.
Filtering and Searching
Quick Filters
At the top of the page, stat cards provide one-click filtering:
- Total - Show all applications
- High Risk - Applications with risk score > 70
- Medium Risk - Applications with risk score 41-70
- Low Risk - Applications with risk score ≤ 40
Click a stat card to filter the list to that category.
Filter Dropdowns
| Filter | Options |
|---|---|
| Platform | Filter by data source (Entra, Okta, Workday, etc.) |
| Status | All Status, Active, Inactive, Deprecated |
Search
Use the search box to find applications by name:
- Search is real-time with automatic debouncing
- Press
/(forward slash) to focus the search box - Click the clear button (X) to reset the search
Sorting
Sort applications by:
| Sort Option | Description |
|---|---|
| Risk (High→Low) | Highest risk first (default) |
| Risk (Low→High) | Lowest risk first |
| Name (A→Z) | Alphabetical |
| Name (Z→A) | Reverse alphabetical |
| Accounts (Most) | Most accounts first |
| Accounts (Least) | Fewest accounts first |
| Newest First | Most recently created |
| Oldest First | Oldest first |
Application Details
Click an application name to open the details page with comprehensive information.
Application Information
| Field | Description |
|---|---|
| Name | Application display name |
| Application ID | Unique identifier for the application |
| Description | Optional application description |
| Platform | Source data platform (data source name and platform type) |
| Data Source | Source system identifier and name |
| Owner | Assigned application owner (platform user) |
| Status | Active, Inactive, or Deprecated |
| Criticality | Criticality level (Critical, High, Medium, Low) |
| Environment | Environment type (Production, Staging, Development, etc.) |
| Authentication Method | How users authenticate (SSO, LDAP, Local, etc.) |
| URL | Application URL or access endpoint |
| Compliance Required | Whether compliance tracking is enabled |
| Risk Score | Application risk score (0-100) based on account risks |
| Data Classification | Data sensitivity classification (Public, Internal, Confidential, Restricted) |
| Technical Contact | Technical point of contact |
| Business Contact | Business point of contact |
| Last Review Date | When the application was last reviewed |
| Next Review Date | Scheduled next review date |
Application Reviewers
Applications can have assigned reviewers who are responsible for reviewing access:
- Reviewer Assignments: Assign specific platform users to review an application
- Reviewer Types: Assign individual users, groups, or role-based reviewers
- Department Scoping: Restrict reviewers to specific departments
- Account Type Scoping: Restrict reviewers to specific account types
- Active/Inactive Status: Enable or disable reviewer assignments
To manage application reviewers:
- Open the application details page
- Navigate to the Reviewers tab
- Click Add Reviewer to assign new reviewers
- Configure reviewer type, department filter, and account type filter
- Set the reviewer status (Active/Inactive)
Risk Assessment
The risk assessment section displays:
- Average Risk Score - Calculated from all associated accounts
- Total Accounts - Number of accounts with access
- Last Updated - When data was last synchronized
Security Metrics
The details page includes comprehensive security metrics:
MFA Status
- MFA Disabled Count: Total accounts with MFA disabled
- MFA Disabled Percentage: Percentage of accounts without MFA protection
Password Issues
Accounts grouped by password age:
| Category | Count | Description |
|---|---|---|
| Never Set | password_never_set_count | Accounts that have never set a password |
| 90+ Days | password_age_90_count | Passwords older than 90 days |
| 180+ Days | password_age_180_count | Passwords older than 180 days |
| 365+ Days | password_age_365_count | Passwords older than 1 year |
Stale Accounts
Accounts grouped by inactivity period:
| Category | Count | Description |
|---|---|---|
| 90+ Days | stale_90_days_count | Inactive for over 90 days |
| 180+ Days | stale_180_days_count | Inactive for over 180 days |
| 365+ Days | stale_365_days_count | Inactive for over 1 year |
Stale Account Percentage
The system automatically calculates the percentage of stale accounts (180+ days) relative to total accounts, helping prioritize cleanup efforts.
Privileged Accounts
| Metric | Description |
|---|---|
| Total Privileged | Accounts with elevated permissions |
| Highly Privileged | Accounts with the highest privilege levels (super admin, domain admin, etc.) |
| Not Vaulted | Privileged accounts not stored in a password vault |
| Privileged Not Vaulted Percentage | Percentage of privileged accounts without vault protection |
Account Status Distribution
| Status | Description |
|---|---|
| Active | Currently active accounts |
| Disabled | Disabled accounts |
| Suspended | Temporarily suspended accounts |
Account Type Distribution
| Type | Description |
|---|---|
| User Accounts | Standard user accounts |
| Service Accounts | Non-human service accounts |
| Admin Accounts | Administrative accounts |
Other Risk Indicators
| Metric | Description |
|---|---|
| Shared Accounts | Accounts used by multiple people |
| No Owner | Accounts without an assigned owner |
| Breached | Accounts flagged in known breach databases |
| Failed Logins | Accounts with recent failed login attempts |
Application Roles
Application roles (also called entitlements) represent the permissions and access rights within an application. These are distinct from organizational job roles.
What they are: Application roles are specific entitlements like "Global Administrator" in Entra ID or "Auditors" in CyberArk. Hydden Discovery syncs these roles, and Control displays them for governance visibility.
| Field | Description |
|---|---|
| Role Name | The role identifier |
| Display Name | Human-readable role name |
| Provider | Source platform (CyberArk, Microsoft, etc.) |
| Domain | Role domain (e.g., cyberark.cloud) |
| Direct Count | Accounts directly assigned this role |
| Expanded Count | Total accounts including nested assignments |
To view application roles:
- Open the application details page.
- Navigate to the Roles tab.
- Browse or search the roles list.
Application role memberships are synced from Hydden Discovery and show which accounts hold which entitlements within each application.
Field Distributions
Application statistics include field distributions showing the breakdown of:
- Custom field values across accounts
- Attribute distributions for reporting and analysis
- Risk metric aggregations
Account Distribution Charts
Visual charts display:
- Stale Accounts by Period - Bar chart showing account staleness distribution
- Accounts by Type - Pie chart showing service, user, and admin account breakdown
- Accounts by Status - Distribution of active, disabled, and suspended accounts
Associated Accounts
The Associated Accounts section displays all accounts linked to the application.
Account Table Columns
| Column | Description |
|---|---|
| Account Name | Account identifier |
| Account email address | |
| Risk Level | Individual account risk with icon indicator |
| Account Type | User, Service, Admin, etc. |
| Department | Account's department |
| Status | Active or Disabled with status indicator |
Searching Accounts
Use the search box within the Associated Accounts section to filter accounts by name or email.
Pagination
Accounts load progressively as you scroll. The table displays accounts in batches for optimal performance.
Managing Applications
Updating Application Owner
Administrators can update an application's owner:
- Open the application details page.
- Click Edit next to the Owner field.
- Select a platform user from the searchable dropdown.
- Click Save.
The owner assignment helps establish accountability for application governance.
Synchronizing Applications
To update application data from source systems:
- Click Sync Applications in the quick actions area.
- The sync job starts and runs in the background.
- Monitor progress in Job History.
For new tenants without data, use Run sync to discover applications on the initial setup.
Schedule Automatic Sync
Configure automatic synchronization in Data Sync settings to keep application data current without manual intervention.
Keyboard Shortcuts
| Shortcut | Action |
|---|---|
/ | Focus search box |
↑ / ↓ | Navigate between applications |
Enter | Open selected application details |
Access Requirements
| Role | Access Level |
|---|---|
| Administrator | Full access - view, sync, update owner |
| Reviewer | Read-only (scoped to assigned applications) |
| Auditor | Read-only (scoped to assigned applications) |
Reviewers and Auditors see only applications within their configured scope. See Platform Users for scope configuration.
Best Practices
- Review high-risk applications first - Sort by risk score and prioritize remediation
- Assign owners - Ensure every application has an accountable owner
- Monitor MFA coverage - Address applications with low MFA adoption
- Address stale accounts - Review and disable accounts inactive for extended periods
- Vault privileged accounts - Ensure privileged credentials are properly secured
- Regular sync - Keep data current with scheduled synchronization
- Use filters effectively - Combine platform and status filters to focus your review
Related Topics
- Accounts - Managing individual accounts
- Data Sync - Configuring synchronization
- Job History - Monitoring sync jobs
- Platform Users - User roles and scoped access
- Applications API - API reference