Understanding Access Types
Learn about the three access categories Ploy uses to classify users in your applications.
Written By Harry Lucas
Last updated 26 days ago
Overview
When viewing users in an application, Ploy categorises them into three access types: Active, Removed, and Shadow. This helps you focus on the accounts that matter most while still maintaining visibility into discovered access.
Active Access
Users with active access are in your configured source of truth for that application. These are the accounts you care about β the ones you'll see in access reviews, manage through workflows, and include in offboarding.
If you signed into the application directly (e.g. zapier.com) and viewed the users list, these are the people you'd expect to see.
Removed Access
Users who have recently been removed or suspended from the application. This includes:
Accounts that have been deprovisioned
Suspended accounts (where the user could potentially regain access automatically)
Shadow Access
Users Ploy has detected with access to the application, but who are not in any configured source of truth. This typically includes:
Personal accounts employees created independently
Access discovered via email scanning or browser extension that hasn't been verified
Legacy accounts from before you configured a source of truth
Shadow access gives you visibility without cluttering your primary user list. You can investigate these accounts and decide whether to formalise or remove them.
How Access Type is Determined
Access type depends entirely on your source of truth configuration:
To move users from Shadow to Active, you'll need to either add them to an existing source of truth (e.g. add them to the IdP group) or configure a source of truth that includes them.