The Cloud Identity Engine service is free; however, the
enforcement points utilizing directory data may require specific
licenses. Click here for more
information.
The Cloud Identity Engine functions as a centralized, read-only repository for
identity and context data gathered from across your organization's diverse
infrastructure. Viewing this collected information is essential for validating the
accuracy of directory synchronization and ensuring that your network security
devices receive the correct context for policy enforcement. The service aggregates
static objects from your connected on-premises and cloud-based directories,
providing visibility into the total counts and specific attributes of users, groups,
computers, containers, and organizational units. This allows you to verify that
critical identifiers, such as email addresses and group memberships, are populating
as expected.
Beyond static directory attributes, the engine maintains a record of dynamic network
associations and device context. This includes User-ID mappings that link IP
addresses to usernames, as well as IP-to-tag and user-to-tag mappings used for
dynamic policy adjustments. It also stores IP-port mappings collected by Terminal
Server agents, which are necessary for distinguishing individual users in multi-user
environments like VDI. Furthermore, the service collects device-specific data, such
as Host IDs from GlobalProtect and verdicts from third-party IoT solutions, to
support device-based security rules. By consolidating this data, the Cloud Identity
Engine provides a single source of truth for troubleshooting connectivity and
verifying that downstream enforcement points possess the necessary intelligence to
secure the network.
Learn how to view detailed information about your directory
data in the Cloud Identity Engine.
In the Cloud Identity Engine app, you can
use the Directory Data page to view data (depending on your directory
type) about users, computers, groups, devices, containers, and organizational
units that are collected from your directory. You can also use keywords
to search the data for specific objects (such as users or groups)
and view all the attributes of those objects to validate the data.
The
Directories page provides a total count for the objects that the
Cloud Identity Engine has collected from your directory. To review
details for an object, click the total count in the column for the
object to view the Directory Data page.
When
you select an object, the number of results for that object displays below
the domain name at the top of the page.
By
default, up to 25 results display for the object. To view the rest
of the data or a specific result, use the following methods.
Search for data in the search bar by
entering a partial or complete keyword, then press Enter or click Search to
see the results.
Search terms are not case-sensitive.
To refine the search results, select a search type:
Search results include delimiter characters for MongoDB and Unicode. For example,
entering test-user as a search term includes
results for test-user and test user but
not testuser because the hyphen is
a delimiter character.
Text search—Displays
results that match the entire search term.
Substring match—Displays results that
match the entire search term or that partially match the search
term.
Browse the data using the page navigation buttons or
use the drop-down list to select the number of rows to display.
To view selected details for an object, select Details
(
) in the first
column.
When you select a group, the app displays the first 2000 flattened
users in the group below the Member
attribute. If the group doesn’t contain any members, this attribute
does not display any information.
When you select a user, the app displays the first 2000 groups to
which the user belongs below the Groups
attribute. If the user doesn’t belong to any groups, this attribute
does not display any information.
The Cloud Identity Engine currently supports retrieval of inventory
information for enterprise applications, such as Name, Redirect URIs,
and IDs. Viewing the membership assignment relationships between the
retrieved apps and their corresponding users and groups is currently a
beta feature.
To view the all data for this object, click View Raw
Data in the upper right corner.
To copy the details for the data, click Copy
(
) to copy the
details to the clipboard.
To switch the view between Direct and
Direct and Nested, select the toggle.
If the directory contains nested groups, they display after you select
the toggle. To restore the original Direct view,
select the toggle again.
Nested group information is not available
for attribute-based Cloud Dynamic User Groups.
To query the data, enter a search term and click Apply
Search to display the results.
To return to the Directory page, select Go
Back to Directory in the upper right.
View Mappings and Tags
Learn how you can use the Cloud Identity Engine to view mappings and tags from your
firewalls.
After you activate and configure User Context, you can view the mappings and tags
that the Cloud Identity Engine collects from the firewalls that you assign to the
segments. Being able to view all of the mapping and tag information that the Cloud
Identity Engine collects from across your network allows you to quickly locate
specific information for remediation or troubleshooting. By giving you a single
source where you can view all the identity information that your firewalls provide,
as well as efficiently search to find the data you need, you can identify and
address issues more quickly.
Select User ContextMappings and Tags.
You must activate and configure User Context before you can view mappings and
tags.
Select the type of mapping or tag that you want to view.
User-ID—View User-ID IP address-to-username
mappings by Username or IP
address.
