Triage the App inventory

If you’ve completed the quick start guide, you should have connected Trelica to your identity provider (IdP). Trelica uses the integration with your IdP to identify apps that your employees are accessing via single-sign-on with their organization email address. This includes apps that users have logged in to using the OAuth2 protocol, and apps for which you have implemented SAML SSO.

You can find out more about the OAuth2 protocol, including its benefits and drawbacks, from this blog post.

The apps that Trelica has discovered are listed in the Applications inventory.  

The applications inventory

It's likely that by connecting Trelica to your IdP, you will discover a large volume of apps (including a "long tail" of apps used by just one or two people). This provides a starting point for understanding and managing SaaS usage in your organization. The list will probably include a mix of:

  • Business apps that your team are already aware of (including apps for which you have implemented SAML SSO).
  • Business apps that you were not aware of (including free trials that users have signed up for and licensed apps that have been procured by teams or individuals directly). 
  • Non-business apps that may or may not be a cause for concern.

For apps in the first category, you can use Trelica to monitor spend and usage, ensure your contracts are right-sized for your organization, and manage app users. 

The latter two categories make up what is often referred to as informal or "shadow" IT. These can provide you with valuable insights into the IT needs of your organization, as well as identifying opportunities to consolidate licenses and highlighting potential security risks. 

Reviewing every single app in a large inventory is unrealistic and generally unnecessary. We recommend sorting and filtering the list by various criteria and then using the app status to classify apps and prioritize those requiring further investigation. 

Sort and filter apps

When Trelica discovers an app, it is matched automatically against our central library of apps in order to provide you with additional context. As you connect Trelica to more systems, Trelica updates the inventory with new apps and additional details about existing apps. 

The following data points are particularly useful when triaging the Apps inventory:

  • Application audience - The audience category is populated automatically. An app can have an audience of "Business", "Home", or both. "Home" covers a broad range of apps - such as online retailers, dating apps and food ordering services - for which a business use is unlikely.
  • Users - The total number of users that have been given access to each app. When triaging a large volume of apps, you may want to start by focussing on those with larger numbers of users. You can also add the Engaged users column to see how many of those users have logged into the app in the last 90 days.
  • Spend - If you have integrated Trelica with your finance system (or imported spend data manually), then you can prioritize apps according to cost. 
  • Login methods - This indicates whether users have authenticated using SAML or OAuth single-sign-on. SAML SSO usually has to be configured by an IT administrator, making this an easy way to identify the apps that you are already managing centrally. 
  • Access risk - The potential security risk presented by the app based on the OAuth scopes that users have granted. This is particularly relevant for non-business apps and business apps that you were previously unaware of.  

Select from the pre-set views or apply filters and show, hide and sort columns to triage the list. Then use the checkboxes to bulk select apps and update their status.

App status

We recommend using the app status to classify apps based on what you intend to do with them. 

  • New - Default state for all newly discovered or manually added apps. This state is also useful for low-risk non-business apps that you want to keep visible by default. 
  • In review - App is in review. This is useful if you need to spend more time investigating whether the app should form part of your inventory, or when trialling a new product or service.
  • Plan to close - App usage is due to be discontinued, either because access is going to be blocked for security reasons or because the product is being replaced. This transition state accounts for situations where apps cannot be moved straight to "Closed" given practicalities around steps to engage with users or the vendor.
  • Managed - The app is key to your business and should be actively managed. Managed apps have a special meaning in Trelica and the system will flag any information gaps for an app in this state e.g. missing owner, expired or missing license, integration not enabled. We recommend assigning an app owner to each managed app. For more information, see Managed apps.
  • Accepted - You don’t have concerns about the app being used given the current level of usage, spend, or risk. However, you don’t need to formally manage the app (i.e. assign an owner, capture license details, track renewals). This status is useful for free productivity tools and low-risk Google Workspace Marketplace apps. 
  • Closed - Use of the app is discontinued. This state archives the information you’ve collected. Closed apps are hidden by default in all inventory views.
  • Ignored - App is miscellaneous and doesn't require attention in terms of spend, licensing, user engagement or risk. Typical examples are one-off custom scripts that cannot be identified by Trelica. Ignored apps are hidden by default in all inventory views
Transition states are optional - you can move apps from "New" straight to any of the end states.

Add custom attributes

In addition to the data points that are populated automatically, you can define any custom attributes that you want to be able to record for some or all of your apps. For example, you might want to record the results of a risk assessment so that you can filter the list by this information. 

Next steps

Once you have completed a first round of identification and triage, we recommend connecting Trelica to other sources of app data, such as a finance system or the browser extension. Trelica uses the data from these sources to discover apps that were not identified by your IdP and adds them to the App inventory.

You can filter the App inventory by status to triage these newly discovered apps and then update their status as required. We recommend repeating this process regularly over the first few weeks as Trelica will continue to discover apps via your IdP, finance system and/or the browser extension. When you identify apps that should be proactively managed, consider assigning an owner and connecting the app to Trelica directly. For more information, see Managed apps

When you add other app integrations to Trelica (for example, so that you can optimize licenses or onboard users automatically), the data provided by these sources is also added to the App inventory. Combining data from various sources helps you to form an accurate picture of SaaS usage within your organization, so that you can can manage apps even more effectively.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.