# Search Reference
### Search types
These are all the possible search types, and their meaning:
* **awsPolicy** - an AWS policy
* **condition** - a grant condition
* **consumer** - the entity that authenticates using a credential; this is typically an IP address
* **credential** - a single authentication credential; search matches the name of the credential (e.g. ID of an API key); will be "federated" if the principal authenticates using SSO
* **entitlement** - a set of privileges to use one or more resources, granted to an identity (an entitlement may be an AWS policy assignment, GCP role binding, or Azure / Kubernetes / Okta / Workspace role assignment)
* **identity** - an IAM identity; search matches the name of the identity (e.g. email; group name, AWS role name, etc.)
* **lateral** - represents potential machine-identity impersonation; each path is represented by two graph nodes, one attached to the grant that allows impersonation, the other attached to the principal that can be impersonated (see `lateral:flow` below)
* **permissionSet** - an AWS permission set
* **privilege** - a grantable privilege (this can be an AWS action, or Azure, Google Cloud, Okta, or Workspace permission)
* **resource** - an IAM resource
* **risk** - a security risk associated with holding a privilege; possible risks are listed in the [IAM Privilege Catalog](https://catalog.p0.dev/risks); you can also search for risk severity scores (e.g. `CRITICAL`)
* **role** - an Azure, Google Cloud, Kubernetes, Okta, or Workspace role (note that this is *not* an AWS role; use `identity:type:aws-iam-role` to search AWS roles)
* **usage** - represents privilege usage (in the last 90 days):
* `used` - the privilege was used in the last 90 days
* `unused` - the privilege has been unused for all of the previous 90 days
* `unknown` - P0 lacks evidence to determine if the privilege is used or unused
### Search attributes
Search attributes allow more specific type searches. Allowable attributes are:
* **condition:expression** - a grant condition's expression
* **credential:created90** - represents if this credential was created within the previous 90 days (`fresh`) or prior (`stale`)
* **credential:last40** & **credential:last90** - represents if this authentication method has been used in the previous 40 or 90 days (respectively); values are `used` or `unused`
* **credential:type** - the type of the authentication credential; may be one of
* `federated` - a credential from an external IAM system
* `key` - a static secret credential
* `short-lived` - represents all ephemeral credentials, including JWTs, temporary keys, account impersonation, and the like
* **entitlement:cross** - true if access is granted to an identity managed outside of the IAM resource (e.g. a GCP role assigned to an Okta user)
* **entitlement:parent** - the scope (AWS account, Azure subscription, GCP project, etc.) in which this entitlement is defined
* **entitlement:principal** - the principal identity granted access by this entitlement
* **entitlement:principalType** - the identity type of this entitlement's principal identity (see `identity:type` below for possible values)
* **entitlement:provider** - the service in which this entitlement is defined; possible values are `aws`, `azure`, `azure-ad`, `gcp`, `k8s`, `okta`, or `workspace`
* **entitlement:resource** - the resource(s) to which this entitlement grants access
* **entitlement:role** - the role granted by this entitlement
* **identity:accessAdd** - who can add users to this group (only available for Workspace groups):
* `admin` - only group administrators can add users
* `group` - anyone in the group can add users
* `owner` - only the group owners can add users
* If not present, no one can directly add users
* **identity:accessApprove** - who can approve group join requests (only available for Workspace groups):
* `admin` - only group administrators can approve requests
* `group` - anyone in the group can approve requests
* `owner` - only the group owners can approve requests
* If not present, no one can approve requests
* **identity:accessJoin** - who can join this group without approval (only available for Workspace groups):
* `public` - anyone on the Internet can join
* `domain` - anyone in the Workspace domain can join
* `invited` - users can join if they've received an invite
* If not present, users can only be directly added to the group
* **identity:accessView** - who can view this group's content (only available for Workspace groups; content is the group's messages):
* `public` - anyone on the Internet can view
* `domain` - anyone in the Workspace domain can view
* `group` - anyone in the group can view
* `admin` - only group administrators can view
* **identity:external** - true if the identity is managed outside the assessed environment
* **identity:parent** - the scope (AWS account, Azure subscription, GCP project, etc.) that manages this identity
* **identity:provider** - the service that manages this identity; possible values are `aws`, `azure`, `azure-ad`, `gcp`, `k8s`, `okta`, or `workspace`
* **identity:status** - one of:
* `enabled` - the principal can authenticate
* `disabled` - the principal's authentication is disabled
* **identity:type** - the type of the IAM principal; may be one of
* `aws-iam-role` - an AWS IAM role
* `aws-permission-set-role` - an AWS IAM role automatically generated by AWS when assigning an AWS permission set to an account
* `federated` - an identity used to provide access to identities from another provider (e.g. an AWS IAM role with `Principal.Federated` in its trust relationship); the identity's parents will be the federated identities
* `group` - a directory group
* `public` - any identity
* `service-agent` - a provider-managed account
* `service-account` - a machine identity (in AWS this is usually an AWS role)
* `user` - a user identity
* **lateral:type** - the mechanism via which lateral escalation can be achieved:
* `grant` - lateral movement via a granted privilege (e.g. GCP `iam.serviceAccounts.actAs` or AWS `sts:assumeRole`)
* `resource` - lateral movement via usage of a service-linked resource (e.g. lateral movement to a compute service identity via shell access)
* Note: federated access is represented as a direct principal-to-principal relationship, and is not modeled via lateral-movement
* **privilegeSet:provider** - the service that manages this role or AWS policy; possible values are `aws`, `azure`, `azure-ad`, `gcp`, `k8s`, `okta`, or `workspace`
* **resource:service** - the resource's parent cloud service; use the API path of the service (e.g. `sso` instead of `Identity Center`)
* **resource:type** - the resource's type (e.g. `bucket`)
* **risk:score** - the access risk score from the [IAM Privilege Catalog](https://catalog.p0.dev/risks); one of `CRITICAL`, `HIGH`, `MEDIUM`, `BOOST`, `EVASION`, or `LOW`
### IAM graph
Your IAM data are connected in a directed graph, as shown, with each node label indicating the datum's respective type:
{% hint style="info" %}
Via queries should only be used for types matching along a directed path in this graph. E.g., `principal:->used:->risk:` will produce matches, but `resource:->risk:` will not.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.p0.dev/inventory/query-search/search-reference.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.