Article 4: Configuring Review Scope & Filters
What filters do
Filters define which access gets included in a review campaign. When Ploy generates a cycle, it evaluates your filters against the current state of your SaaS estate and creates accounts to review for every matching result.
Getting filters right is important: too broad and reviewers are overwhelmed with irrelevant access; too narrow and you miss what matters. Ploy's live preview panel lets you see exactly what a filter combination will capture before you commit.
The three filter categories
Filters are organised into three groups, each targeting a different dimension of access:
1. Resource filters
Target which apps or resources are included.
Filter | What it does |
|---|---|
App | Include or exclude a specific application (e.g. "only Salesforce") |
Resource type | Filter by the type of tool (e.g. "all CRM tools") |
Integration | Filter by how the app is connected to Ploy (SSO, SCIM, etc.) |
Tags | Filter by custom tags you've applied to resources in Ploy |
SSO-enabled | Include only apps where SSO is configured |
SCIM-enabled | Include only apps where SCIM provisioning is active |
Owning department | Filter by which department owns the resource |
Contract renewal date | Include resources with renewal dates before or after a specific date |
Resource status | Filter by active or inactive resources |
Date first seen | Filter resources by when they first appeared in Ploy |
2. Employee filters
Target which employees' access is included.
Filter | What it does |
|---|---|
Department | Include or exclude specific departments |
Job title | Filter by title — supports exact match or contains |
Country / location | Filter by employee location |
Target specific individuals or email patterns | |
Employment status | Filter by active, terminated, or on leave |
Hire date | Target employees hired before or after a date |
End date | Target employees with a termination date (useful for leavers reviews) |
Manager | Filter by direct manager (useful for manager-led reviews) |
Profile | Filter by custom profile attributes you've defined in Ploy |
Not in identity provider | Flag accounts that exist in apps but aren't in your IdP |
3. Access filters
Target the nature of the access itself.
Filter | What it does |
|---|---|
Access age | How long the employee has held this access (e.g. "granted more than 365 days ago") |
Last accessed | When the account was last actively used (e.g. "not used in 90+ days") |
MFA enabled | Whether the account has MFA active |
Expiration date | Whether access has an expiration date set, and when |
Access level / role | The specific role or permission level assigned |
Entitlement | A specific entitlement or permission within an app |
Provisioned via Ploy | Whether access was granted through Ploy or manually |
Suspended | Whether the account is currently suspended |
Provisioning status | Current status in Ploy's provisioning system |
Combining filters
Filters within the same category use AND logic — all conditions must match. Filters across categories also use AND logic — so a resource filter, an employee filter, and an access filter all apply simultaneously.
Example: To review all admin access to finance tools held by people who haven't logged in for 90 days:
Resource filter:
Tag equals "finance"Access filter:
Role equals "admin"ANDLast accessed before 90 days ago
This will only include accounts where all three conditions are true.
The live preview panel
As you build your filters, Ploy shows a preview panel on the right side of the screen. This displays:
The number of resources matching your resource filters
The number of accounts that would be included in the review
A sample of the matching accounts so you can validate the results
Use this to sanity-check scope before saving. It's much easier to adjust filters now than to re-scope a running cycle.
Filter tips
Starting broad, then narrowing: Begin with just a resource filter (e.g. "App = GitHub") to see the full scope, then add employee or access filters to narrow down to the access that actually warrants review.
Leavers campaigns: Use an employment status filter set to "terminated" combined with a resource filter to catch access that wasn't cleaned up when someone left. Running this monthly is a common compliance hygiene practice.
Inactive access reviews: Use a last accessed before [90 days ago] filter to surface accounts that are provisioned but unused. These are candidates for deprovision without needing detailed review.
High-risk only: Combine an access level filter (role = admin) with a resource filter (specific apps) to scope a review to only elevated-privilege accounts — this is often the right starting point for a first campaign.
Filters and cycle generation
When Ploy auto-generates a new cycle from a recurring campaign, it re-evaluates your filters against the current state of your SaaS estate at that moment. This means:
New employees hired since the last cycle will be included if they match the filters
Employees who left will not appear (their access should already be removed by your offboarding flows)
Access that was revoked won't appear
New applications added to Ploy that match a resource tag will automatically be included
This is intentional — access review scope should reflect current reality, not a static snapshot from when you set up the campaign.