English

Deutsch

English

Deutsch

Appearance

Owner Details

The Owner Details page provides a comprehensive, aggregated view of an individual identity with all associated accounts discovered by Hydden. This page consolidates security posture, authentication methods, group memberships, and activity across multiple accounts to provide an identity-centric risk assessment essential for compliance reporting, employee offboarding, and identity consolidation review.

Overview

Owner Details pages aggregate data from all accounts mapped to a single identity, providing a unified view of:

  • Identity Attributes: Name, email, employee information, organizational details
  • Aggregated Risk: Total threat score from all mapped accounts
  • Authentication Posture: MFA coverage, failed logins, authentication patterns across accounts
  • Access Overview: Consolidated group memberships, role assignments from all accounts
  • Activity Timeline: Complete login history across all platforms and accounts
  • Account Inventory: High-risk accounts, accounts without MFA, privileged accounts

This identity-level view enables security teams to assess overall risk for individuals rather than isolated accounts, making it ideal for executive risk reporting, access reviews, and offboarding verification.

Key Concepts

Owner Identity

An Owner represents an individual person or entity (human identity) to which multiple accounts are mapped. Owners are created through owner creation rules and linked to accounts via account mapping rules.

Owner Characteristics:

  • One owner can have many accounts across different platforms
  • Owner attributes typically come from HR systems or authoritative identity sources
  • Aggregated threat scores consolidate risk from all mapped accounts
  • Activity tracking spans all accounts associated with the owner

Account Mapping

Accounts are mapped to owners through various matching strategies:

  • Email Matching: Primary email or User Principal Name (UPN)
  • Attribute Matching: Employee ID, SAMAccountName, custom attributes
  • Manual Mapping: Explicit mapping via Map To functionality
  • Identity Mapping Rules: Custom rules based on organizational logic

For more details, see Account Mapping Rules.

Aggregated Risk Scoring

The owner's Total Threat Score aggregates risk from all mapped accounts:

  • Each account's threat score is calculated from applicable threat rules
  • Owner threat score is the sum of all mapped account threat scores
  • Higher aggregated scores indicate identities with elevated risk across multiple accounts
  • Risk indicators highlight specific concerns (high-risk accounts, missing MFA, etc.)

Employee Lifecycle

Owner records often contain employee lifecycle information:

  • Hire Date: When the individual joined the organization
  • Termination Date: When the individual left the organization
  • Status: Active vs. terminated employees
  • Organizational Details: Department, title, manager, location

This information is crucial for offboarding verification and access cleanup.

Data Tiles

The Owner Details page displays information tiles organized by functional area:

Owner Information Tile

FieldDescription
Owner NameThe name under which the owner identity was established
Primary EmailPrimary email address for the owner
Alternate EmailSecondary or personal email addresses (if available)
TypeOwner type (typically "Employee", "Contractor", "External")
StatusOwner status (Active, Terminated, Suspended)
PhoneBusiness phone number (if available)
MobileMobile phone number (if available)

Employee Information Tile

FieldDescription
Job TitleCurrent job title or role
DepartmentOrganizational department
ManagerDirect manager name
Employee IDUnique employee identifier
Hire DateDate the employee joined the organization
Termination DateDate the employee left the organization (if applicable)
LocationOffice location or work site

Threat Score Tile

FieldDescription
Total Threat ScoreAggregated risk score from all mapped accounts
Risk LevelVisual indicator (Critical, High, Moderate, Low)
High Risk Account CountNumber of accounts with elevated threat scores

Recent Failed Logins Tile

Displays recent failed authentication attempts across all mapped accounts:

  • Platform: System where failed login occurred
  • Account Name: Specific account with failed login
  • Failed Login Count: Number of consecutive failures
  • Last Failed Time: Timestamp of most recent failure

This tile helps identify potential brute force attacks or compromised credentials.

Number of Accounts without MFA Tile

FieldDescription
Accounts without MFACount of mapped accounts lacking multi-factor authentication
Total AccountsTotal number of mapped accounts
MFA Coverage %Percentage of accounts with MFA enabled

High Risk Accounts Tile

Lists the top five highest-risk accounts associated with this owner:

  • Account Name: Account identifier
  • Platform: System platform
  • Threat Score: Individual account threat score
  • Primary Risk Factors: Top security concerns (e.g., "Password 180+ Days", "MFA Not Enabled")

Click any account to navigate to Account Details.

Data Tabs

Owner Accounts Tab

Complete inventory of all accounts mapped to this owner identity.

Default Columns:

  • Account Name
  • Platform
  • Data Source
  • Account Type (User, Service, Federated, etc.)
  • Status (Enabled, Disabled, Locked, Expired)
  • Total Threat Score
  • MFA Status
  • Last Logon
  • Classification

Use Cases:

  • Account consolidation and deduplication
  • Privileged account identification
  • MFA coverage verification
  • Orphaned account detection
  • Access review preparation
  • Offboarding verification (ensure all accounts disabled)

Actions:

  • Click any account row to open Account Details
  • Filter accounts by platform, type, status, or risk level
  • Export account list for reporting
  • Use Action button to initiate workflows for multiple accounts

Group Membership Tab

Aggregated view of all group memberships from all mapped accounts, showing the complete set of access permissions.

Default Columns:

  • Group Name
  • Group Platform
  • Data Source
  • Account Name (which mapped account has this membership)
  • Membership Type (Direct / Expanded)
  • Is Privileged
  • Group Type

Use Cases:

  • Comprehensive privilege review across all accounts
  • Access certification and attestation
  • Identify privileged group memberships
  • Nested group membership analysis
  • Compliance auditing (privilege segregation)
  • Detect excessive access across multiple accounts

Filters:

  • Filter by privileged groups only
  • Filter by specific platforms
  • Filter by direct vs. expanded membership

Login History Tab

Complete authentication timeline across all mapped accounts, providing a unified activity view.

Default Columns:

  • Login Date/Time
  • Account Name
  • Platform
  • Login Status (Success / Failed)
  • Source IP Address (if available)
  • Login Type (Interactive, Network, Service, etc.)
  • Geolocation (if available)

Use Cases:

  • Investigate suspicious authentication patterns across accounts
  • Verify identity activity for access reviews
  • Identify dormant accounts (no recent logins)
  • Security incident investigation (compromised credentials)
  • Unusual login time or location detection
  • Compliance audit trails
  • Offboarding verification (no logins after termination date)

Analysis Tips:

  • Sort by Login Date/Time to see most recent activity
  • Filter by Failed logins to identify potential security issues
  • Filter by specific platforms to focus investigation
  • Look for login activity after termination date (red flag)

MFA Devices Tab

Inventory of all multi-factor authentication devices and methods across all mapped accounts.

Default Columns:

  • OIDC Provider (Okta, Azure MFA, Duo, Google Authenticator, etc.)
  • MFA Type (SMS, Authenticator App, Hardware Token, Biometric, etc.)
  • MFA Provider
  • MFA Create Date
  • MFA Status (Active, Inactive, Pending)
  • Account Name (which account has this MFA device)
  • Platform

Use Cases:

  • MFA coverage analysis across all accounts
  • Authentication method inventory
  • Identify accounts without MFA for remediation
  • Device management and cleanup
  • Compliance verification (MFA requirements)
  • Security posture assessment

Insights:

  • Zero MFA devices: High priority for MFA enrollment
  • Weak MFA methods: SMS-only MFA is less secure than app-based
  • Inactive devices: May indicate device replacement needed
  • Pending registrations: Follow up on incomplete MFA setup

SSH (Public) Keys Tab

Overview of all authorized SSH public keys across mapped accounts.

Default Columns:

ColumnDescription
Source AccountAccount that owns the public key (e.g., root, operator)
Source SSH HostSystem where the public key was collected
Source PlatformPlatform/OS (Linux, Unix)
Source Account TypeAccount type (User, Service, etc.)
AlgorithmEncryption algorithm (RSA, ED25519, ECDSA, DSA)
FingerprintUnique key fingerprint
RestrictionIP address or subnet restrictions (if configured)
UsageKey usage (Authentication)

Use Cases:

  • SSH access audits across all accounts
  • Authorized key inventory
  • Key rotation planning
  • Access review for SSH-based access
  • Compliance (key management policies)
  • Identify weak algorithms (DSA, RSA <2048 bits)

Role Membership Tab

Aggregated view of all role assignments across all mapped accounts, showing the complete set of role-based access permissions.

Default Columns:

  • Role Name
  • Display Name
  • Account Name (which mapped account has this role)
  • Data Source
  • Platform
  • Role Type

Use Cases:

  • Comprehensive role-based access review across all accounts
  • Role certification and attestation
  • Identify excessive or conflicting role grants across platforms
  • Compliance auditing for separation of duties
  • Compare role assignments across an identity's accounts

Click a role name to navigate to Role Details for the selected role.

SSH (Private) Keys Tab

Overview of all private SSH keys discovered on systems for mapped accounts.

Default Columns:

ColumnDescription
Target AccountAccount with the private key
Target SSH HostSystem where the private key is stored
Target PlatformPlatform/OS
Target Account TypeAccount type
AlgorithmEncryption algorithm
FingerprintUnique key fingerprint

Use Cases:

  • Private key discovery and inventory
  • Security risk assessment (exposed private keys)
  • Key rotation and lifecycle management
  • Compliance (private key storage policies)
  • Identify shared or insecure key storage

Security Note: Private keys should be protected and not widely accessible. Discovery of private keys in unexpected locations may indicate security risks.

Share via Action

On tenants with the Integrate Action Providers and Workflows feature enabled, the Action button provides workflow automation options.

Available Actions

Email Notification:

  • Send owner details to HR or management
  • Alert security team about high-risk identities
  • Request access review from manager
  • Escalate security findings
  • Termination/offboarding notifications

Create Ticket:

  • Generate ServiceNow incident/request tickets for risk remediation
  • Create JIRA issues for access cleanup
  • Automated ticketing for policy violations
  • Track remediation workflows
  • Offboarding task creation

Custom Workflows:

  • Execute organization-specific automation
  • Trigger integration with HR systems
  • Initiate provisioning/deprovisioning workflows
  • Custom compliance reporting
  • Automated escalation to management

Common Workflows

Executive Risk Reporting

  1. Access Owner Details for executives or high-value targets
  2. Review Total Threat Score and risk indicators
  3. Check High Risk Accounts Tile for specific concerns
  4. Examine Accounts without MFA to identify exposure
  5. Review Group Membership Tab for privileged access
  6. Check Login History for unusual activity or anomalies
  7. Use Action button to generate executive risk reports
  8. Export data for board-level reporting or compliance

Employee Offboarding Verification

  1. Search for Owner by name or email
  2. Verify Termination Date in Employee Information Tile
  3. Review Owner Accounts Tab to see all accounts
  4. Check Status column - all accounts should be Disabled
  5. Review Login History Tab to ensure no logins after termination date
  6. Check Group Membership Tab to verify access removal
  7. Review SSH Keys Tabs to identify keys requiring revocation
  8. Use Action button to create ticket if cleanup needed
  9. Document completion for compliance audit trail

Identity Consolidation Review

  1. Access Owner Details for identity requiring review
  2. Review Owner Accounts Tab for all mapped accounts
  3. Identify duplicate or unnecessary accounts (multiple accounts on same platform)
  4. Check Last Logon for each account to identify dormant accounts
  5. Review Group Memberships for access consolidation opportunities
  6. Assess MFA coverage across accounts
  7. Plan consolidation strategy (which accounts to disable/merge)
  8. Use workflows to request account cleanup
  9. Track progress through multiple reviews

Compliance Audit (Identity-Level)

  1. Filter owners by department or role
  2. Review MFA coverage via Accounts without MFA Tile
  3. Check aggregated threat scores for policy violations
  4. Review privileged access via Group Membership Tab
  5. Verify separation of duties across accounts
  6. Check authentication compliance via Login History
  7. Review SSH key compliance via SSH Keys Tabs
  8. Verify employee lifecycle data (hire/termination dates)
  9. Export evidence for compliance reporting
  10. Generate reports for auditors

Understanding Owner Identity

The Owner entity represents the identity-centric view in Hydden, consolidating all accounts belonging to a single individual. This approach enables:

Identity-Based Risk Assessment

Traditional account-based security tools assess risk per account. Hydden's owner-level view reveals:

  • Cumulative Risk: An individual may have low-risk accounts individually, but high cumulative risk
  • Cross-Account Patterns: Suspicious activity patterns across multiple accounts
  • Privilege Consolidation: Total privilege level when all accounts are considered together
  • MFA Coverage Gaps: Identifies which accounts lack MFA for a specific individual

Account Mapping Status

The Mapped To field on Account Details links back to the owner identity. Mapping scenarios include:

  • Mapped to Owner: Account successfully linked to an identity (normal state)
  • No Owner: Account not mapped to any identity (orphaned account - security risk)
  • Shared Account: Account mapped to multiple owners (potential policy violation)
  • Shared Account+: Account mapped to 3+ owners (high-risk sharing)

For details on account mapping, see Account Mapping Rules and Map To documentation.

Owner Creation

Owners are created through Owner Creation Rules which define:

  • Authoritative Source: Which data source provides owner identity data (typically HR system, Active Directory, or cloud identity provider)
  • Matching Attributes: Which fields uniquely identify owners (email, employee ID, etc.)
  • Attribute Priority: Which source takes precedence when conflicts exist
  • Update Logic: How owner attributes are updated when new data arrives

Troubleshooting

IssueSolution
Owner has no mapped accountsVerify account mapping rules are configured; check email/UPN matching
Incorrect owner attributesReview owner creation rules; verify authoritative source priority
Aggregated threat score too highReview individual account threat scores; investigate high-risk accounts; verify threat rule thresholds
Missing employee informationVerify HR system data source is collecting and providing employee attributes; check collector permissions
Login history incompleteEnsure authentication logging is enabled on platforms; verify collector configuration for login data
No MFA device dataVerify data sources support MFA collection; check collector permissions for MFA APIs
Accounts not showing in Owner Accounts TabVerify account mapping; check if accounts have valid email/UPN; manually map accounts via Map To
Terminated employee showing as activeVerify termination date is being collected from authoritative source; check owner creation rule logic

Hydden Documentation and Training Hub

Copyright © 2026 Hydden