What are Tags?
  • 11 Oct 2024
  • 5 Minutes to read
  • Dark
    Light
  • PDF

What are Tags?

  • Dark
    Light
  • PDF

Article summary

Tags are a highly configurable feature in Clarity which allow you to label various items within Clarity (Applications, Entitlements, Identities, Roles). These labels can help you perform highly targeted Access Reviews of your application landscape.

To Manage your Tags head to Tags in the sidebar.


Topics we will cover:


Create tags

Once you head to Tags, look for the Add New Tag button near the top right of the screen.

Tags - Add New Tag

You will see the tag creator dialog which will guide you through the process of creating a new tag.

Entity Type

First, select the type of Clarity entity that this tag will apply to. The available entity types are: Identity, Entitlement, Application, and Role.

image.png

After selecting an entity type, fill out the Tag Name, Category, and Description. These fields are arbitrary and just used to help you identify and organize tags as you create them.

Static vs Dynamic Tags

Next select the kind of tag you want to create: Static or Dynamic. Static tags will be created and initially tag all of the entities that apply based on the filtered dialog. Once a static tag is created, it can then be applied to any other entities (even entities that you do not initially select during creation) within the Clarity application. For instance, you can create a static tag called "Operations Responsibilities" that initially applies to Entitlement entities, but then at any point after creation, you could apply this tag to Identities, Applications, or Roles as you see fit.

Dynamic tags work a bit differently from static tags. After the initial creation of a dynamic tag, Clarity will automatically monitor and tag entities that match the filter options you set initially. For instance, you could create a dynamic tag called "Active Admins" on the Identity entity type. Based on the filter configuration, this dynamic tag would automatically tag any active identities with a certain entitlement or in a certain role. At any point in the future, if a new identity meets the criteria for the dynamic tag, they will automatically be tagged by Clarity without any further manual tagging necessary.

image.png

Dynamic Tag Updating

Dynamic tags are updated automatically each time an application syncs.
You can also trigger the tag to update by clicking the Re-apply Dynamic Tag button while viewing the individual tag.

Tag Builder

After clicking "Next" you will be taken to the tag builder. You will see the tag builder dialog. On the left hand side, you will see the filter builder. Each filter is a collection of conditions which are applied in filter groups. You must have at least one condition to create a new tag.

Click "Add Filter" under the first "where" filter group to get started.

image.png

You will then see a list of filterable properties based on the entity type you selected. Choose a property and you will see a list of various conditions you can select for that property. For example, you can select the property "Identity's Role Path" then "Starts With" and then supply the value "Admin". This will create a filter condition that will tag all identities who's role path starts with "Admin". Click "Apply" to add the condition to the filter builder.

image.png

After applying each filter condition, the tag builder will refresh the list of entities that will be tagged and display them in the grid on the right.

image.png

Filter Groups and Clauses

Each tag is made up of "groups" and "filters". A group may have multiple filters within it, which will be applied using AND logic. For instance, an Identity tag made up of one group with the filters "Email" "Starts with" "g" and "Active status in application" "is equal to" "True" will only tag identities who are ACTIVE and who's email starts with "g". Inactive identities will not be tagged, and anyone who's email doesn't start with "g" will not be tagged.

image.png

Each group for the tag will be applied using OR logic. Similar to the example above, if I have one group with one filter "Email" "Starts with" "g" and another group with one filter "Active status in application" "is equal to" "True", the tag will be applied to all identities who's email starts with "g" OR are active.

image.png

There is no limit to the number of filters or groups that you use when creating a static or dynamic tag.


Manage and modify tags

Explore Tag Contents

Once you are at the Tags page, simply click on row for the Tag you want to modify or view from the list below.
Manage Tags

You can use the Tabs underneath the name of the tag to list what is currently included in the Tag.
image.png

Edit Tags

To make changed to the Name, Description, etc. for the Tag click the Edit Icon in the top right (looks like a pencil).

image.png

Once you hit the Edit button, you will see a screen similar to the Create Tag dialog seen above, letting you change the filter options for the tag.

image.png

Deleting Tags

In the tag details page, click the Remove Tag button. The tag will be deleted and removed from all entities which were tagged with it.

Common use cases

Example 1: Entitlements with a monetary value. Utilize the tag feature to label entitlements from your Downstream Applications which per use paid access (licenses, subscriptions, etc). This is a great item to review, to help make sure employees in your organization do not have paid licenses they don't need.

Example 2: Top level Administrative Access. Create a custom entitlement to apply to all of the Entitlements which represent the highest level of access in an application (Domain Admin in Active Directory, etc). This is a very important type of access to review regularly.

Example 3: Create a custom tag to represent the Entitlements for an application whose access is managed in another application. An example of this is using Active Directory groups to manage access to another application.


If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.


Was this article helpful?
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.