Skip to main content

Writing Search Queries in SlashID

SlashID stores all monitored data in a graph database, allowing you to write powerful and flexible queries using Cypher, which is Neo4j's native query language.

Through the Queries section in the SlashID console, you can search for any entity (e.g., users, non-human identities (NHIs), policies etc) and explore their relationships.

To effectively write queries, it’s important to understand the graph structure:

  • Entities are represented as nodes in the graph
  • Relationships between entities (e.g., "allows access to" or "created by") are represented as edges

Below is a detailed breakdown of the node types (entities), their properties, and the relationship types (edges) available for querying.

Entity (Node) Types

Labels

Each node in the graph is defined by two fields (node "labels" in Neo4j terminology):

  1. Class: specifies what kind of entity the node represents, such as an identity or a credential
  2. Source type: indicates the system or environment the entity originates from
info

Neo4j labels are like categories that define the node and are primarily used for indexing and efficient querying.

Entity Classes

A node's class can be one of the following:

  • Application
  • Credential
  • Identity
  • Policy
  • Resource

Source Types

Nodes may originate from various sources, categorized as follows:

  • active_directory
  • aws_account
  • azure_tenant
  • entra_tenant
  • gate_instance
  • gcp_project
  • google_workspace_instance
  • okta_org
  • postgres_instance
  • slashid
  • snowflake_account

Properties

Each entity (node) can have optional properties stored as key-value pairs, which contain additional data about the entity.

These are the possible properties:

  • identifier_from_source: unique identifier assigned by the source system
  • entity_type: type of entity (more specific than class), specific to the source type
  • entity_id: internal ID assigned by SlashID
  • name: human-readable name for the entity
  • status: current state of the entity (e.g., "active", "deleted")
  • source_identifier: ID of the data source
  • tags: custom labels applied to specific entities for grouping and filtering
Performance Consideration

Properties in Neo4j are not indexed by default, which means that searching by properties (e.g., name, status) may be slower than searching by labels.

Relationship (Edge) Types

Relationships define how entities are connected within the graph.

Each relationship type comes in two directions — one for the initiator and one for the recipient.

Relationship TypeInverse RelationshipDescription
ALLOWS_ACCESS_TOIS ALLOWED_ACCESS_BYGrants access to a resource
ASSIGNED_TOIS_ASSIGNEDDenotes assignment of an entity (e.g., a role to a user)
CREATEDCREATED_BYAn entity (e.g., user, system) created another entity
CAN_ACCESSCAN_BE_ACCESSEDIndicates an entity has general access to another entity
CAN_ASSUMECAN_BE_ASSUMED_BYRepresents the ability to assume a role or identity
CAN_READCAN_BE_READ_BYSpecifies read permissions on an entity
CAN_WRITECAN_BE_WRITTEN_BYSpecifies write permissions on an entity
CONTAINSIS_CONTAINED_BYIndicates an entity is nested inside another (e.g., a policy inside a group)
DEFINES_PERMISSIONS_OFHAS_PERMISSIONS_DEFINED_BYDefines permissions of another entity
DENIES_ACCESS_TOIS_DENIED_ACCESS_BYExplicitly denies access
FEDERATES_TOFEDERATED BYRepresents federated identity relationships
HAS_CREDENTIALIS_CREDENTIAL_OFAssociates a credential with an identity
HAS_MEMBERIS_MEMBER_OFRepresents group membership
OWNSIS_OWNED_BYIndicates ownership of an entity

You can find a few examples covering common use cases in the Examples section.