title: Tags Management category: Tags & Classification tags: tags, classification, categories, filtering, organization priority: Normal
Tags Management
Tags in IdentityCenter provide a flexible classification system for organizing and labeling identities, objects, and groups. They enable targeted filtering, policy scoping, and operational workflows that go beyond the fixed attributes synced from your directories.
Accessing Tags Management
Navigate to Administration > Tags Management or go directly to /admin/tags-management. The Tags Management page displays all existing tags, their categories, and usage statistics.
Creating Tags
To create a new tag:
- Click Create Tag on the Tags Management page
- Fill in the tag properties:
| Property | Required | Description |
|---|---|---|
| Name | Yes | A short, descriptive label (e.g., "VIP," "Contractor," "High Risk") |
| Description | No | Explanation of when and why to apply this tag |
| Color | No | Visual color for display in lists and dashboards |
| Icon | No | Icon for quick visual identification |
| Category | No | Grouping category for organizing related tags |
- Click Save to create the tag
Naming Conventions
Choose tag names that are concise, consistent, and self-explanatory:
| Good Examples | Poor Examples | Why |
|---|---|---|
| VIP | Important Person | Too verbose |
| Contractor | C | Too abbreviated |
| Service Account | SVC_ACCT | Unclear to other administrators |
| High Risk | !!! | Not descriptive |
| Pending Offboard | To Be Removed Eventually | Too long |
Tag Categories
Tag categories group related tags together for easier management and navigation. Categories are optional but recommended for organizations with many tags.
| Example Category | Tags Within |
|---|---|
| Risk Level | High Risk, Medium Risk, Low Risk, Under Review |
| Employment Type | Full-Time, Contractor, Vendor, Intern, Consultant |
| Compliance | SOX In-Scope, HIPAA Covered, PCI Cardholder, GDPR Subject |
| Operational | VIP, Service Account, Shared Account, Break-Glass |
| Lifecycle | Pending Onboard, Active, Pending Offboard, Archived |
To create or manage categories, use the Categories tab on the Tags Management page. Each category can have its own color scheme to visually distinguish groups of tags.
Applying Tags
Applying to Individual Items
Tags can be applied to identities, objects, and groups from their respective detail pages:
- Navigate to the detail page of the identity, object, or group
- Locate the Tags section
- Click Add Tag
- Search for and select the tag
- The tag is applied immediately
Bulk Tag Application
For applying tags to multiple items at once:
- Navigate to the Objects browser (
/admin/directory/objects), People page, or Groups page - Use checkboxes to select multiple items
- Click the Tag action in the bulk operations toolbar
- Select the tag to apply
- Confirm the bulk operation
Bulk tagging is useful for scenarios such as:
- Tagging all members of a department as "SOX In-Scope"
- Marking a group of contractor accounts discovered during an access review
- Classifying service accounts identified during a sync
Removing Tags
To remove a tag from an item:
- Navigate to the item's detail page
- In the Tags section, click the remove icon next to the tag
- Confirm the removal
Tags can also be removed in bulk using the same selection workflow described above.
Tag-Based Filtering
Tags integrate with filtering across IdentityCenter, enabling you to quickly narrow down views to tagged populations.
Objects Browser
In the Objects browser at /admin/directory/objects:
- Use the Tags filter to show only objects with a specific tag
- Combine tag filters with attribute filters (e.g., "Show all objects tagged 'High Risk' in the Finance department")
- Save filtered views for quick access
People Page
On the People page:
- Filter by tag to see all identities with a specific classification
- Combine with organizational filters (department, manager, division)
- Export filtered results for reporting
Groups Page
On the Groups page:
- Filter groups by tag to find specifically classified groups
- Identify groups tagged for compliance review
Using Tags for Policy Scoping
One of the most powerful applications of tags is policy scoping. Policies can include or exclude tagged populations:
Including Tagged Populations
Scope a policy to only evaluate items with a specific tag:
| Policy | Tag Scope | Effect |
|---|---|---|
| SOX Segregation of Duties | SOX In-Scope | Only evaluate users tagged as SOX in-scope |
| HIPAA Access Control | HIPAA Covered | Only evaluate users with access to PHI systems |
| Privileged Account Monitoring | Admin | Only monitor accounts tagged as administrative |
Excluding Tagged Populations
Exclude specific tagged items from policy evaluation:
| Policy | Tag Exclusion | Effect |
|---|---|---|
| Stale Account Detection | Service Account | Do not flag service accounts as stale |
| Missing Manager | Break-Glass | Do not require managers on break-glass accounts |
| Password Age | Managed Service Account | Exclude accounts with auto-rotating passwords |
VIP Tag Pattern
A common pattern is the "VIP" tag, which identifies high-profile individuals (executives, board members) who may require special handling:
- Exclude VIPs from automated account disablement policies
- Route VIP access reviews to a senior reviewer
- Generate separate compliance reports for VIP populations
- Apply enhanced monitoring policies to VIP accounts
Tags Diagnostic Page
The Tags Diagnostic page helps troubleshoot tagging issues and provides administrative oversight:
| Feature | Description |
|---|---|
| Orphaned Tags | Tags that are defined but not applied to any items |
| Tag Usage Statistics | Count of items per tag, sorted by usage |
| Duplicate Detection | Identifies tags with similar names that may be duplicates |
| Category Coverage | Shows which categories have tags and which are empty |
| Bulk Operations Log | History of bulk tag applications and removals |
Access the diagnostic page from Tags Management > Diagnostics or via the diagnostic link on the Tags Management page.
Seed Tags
IdentityCenter ships with a set of pre-configured seed tags that cover common identity governance scenarios:
| Seed Tag | Category | Purpose |
|---|---|---|
| VIP | Operational | High-profile individuals requiring special handling |
| Service Account | Operational | Non-human accounts used by applications |
| Shared Account | Operational | Accounts used by multiple people |
| Contractor | Employment Type | External contractor accounts |
| High Risk | Risk Level | Accounts flagged as high risk by policies or AI insights |
| Pending Review | Lifecycle | Accounts awaiting administrative review |
| Privileged | Risk Level | Accounts with elevated permissions |
| Disabled | Lifecycle | Accounts that have been disabled |
Seed tags can be renamed, recategorized, or deleted if they do not fit your organization's needs.
Integration with Other Features
Tags integrate with several IdentityCenter features beyond filtering and policy scoping:
| Feature | Integration |
|---|---|
| Access Reviews | Scope review campaigns to tagged populations |
| Compliance Reporting | Filter compliance reports by tag |
| ChatHub | Search for tagged items using natural language (e.g., "show all VIP users") |
| Intelligence Insights | AI insights may suggest tags based on behavioral analysis |
| Workflows | Route workflow steps based on tags |
| Notifications | Send alerts when high-risk tagged items have violations |
Best Practices
Keep tags consistent - Establish a naming convention and enforce it. Avoid creating tags that overlap in meaning (e.g., "Admin" and "Administrator" and "Privileged").
Use categories - Organize tags into categories to prevent tag sprawl. Categories make it easier for administrators to find and apply the right tag.
Do not over-tag - Apply tags intentionally. If everything is tagged, the tags lose their value as a filtering mechanism. Reserve tags for meaningful classifications that drive governance actions.
Review tag usage regularly - Use the Tags Diagnostic page to identify orphaned tags (defined but never used) and consolidate duplicates.
Document tag purpose - Use the description field to explain when a tag should be applied and by whom. This helps maintain consistency as your team grows.
Align tags with compliance - Create tags that map to your compliance requirements (e.g., "SOX In-Scope," "PCI Cardholder Data Access") so that policy scoping and reporting are straightforward.
Automate where possible - Consider using policies or sync rules to automatically apply tags based on object attributes, reducing manual tagging effort.
Next Steps
- Organization Center - Explore organizational structure alongside tag-based classification
- Policies Overview - Scope policies using tags
- Creating Policies - Build policies that reference tag-based populations
- Access Reviews Overview - Scope access review campaigns by tag
- Compliance Frameworks Overview - Map tags to compliance framework controls