Attribution model
Ultra resolves the effective identity for every event using a three-tier fallback:| Tier | When it applies | Display |
|---|---|---|
| Authenticated | The event carries a Hub session user ID (SSO or SCIM-provisioned member). | Green dot, full name, role, member badge. |
| Gateway-attributed | No session user, but the event references a gateway with a known owner. The gateway owner is credited. | Amber dot, owner’s name, “Gateway-attributed” badge. |
| Unattributed | Neither a session user nor a resolvable gateway owner is available. Grouped by MCP client principal (e.g. claude-desktop/1.2.3). | Gray dot, client principal as label, no link. |
The Identities list
Open Identities in the Hub sidebar to see every identity in your organization, sorted by most recently active by default.Columns
| Column | Description |
|---|---|
| Identity | The name, email, or client principal. Renders as a link to the Identity detail page. Non-org members are flagged with a “Non-member” badge. |
| Relationship | ”Member” with the assigned role (owner / admin / member / viewer), or “Non-member” for identities outside the org. |
| Assurance | Authenticated, Gateway-attributed, or No activity. Reflects the highest assurance tier observed for the identity. |
| Gateways | Number of gateways the identity owns (for gateway-attributed events). |
| Tool calls (30d) | Tool-call count over the last 30 days. |
| Blocks | Guardrail deny outcomes attributed to the identity over the last 30 days. |
| Anomalies | Approximate count of anomaly findings that named the identity. |
| Last active | Most recent event timestamp, or “Never” for identities with no observed activity. |
Filtering
Click the filter icon to open the filter popover:- Relationship: Member or Non-member.
- Assurance: Authenticated, Gateway-attributed, or No activity.
- Has anomalies: identities with at least one finding.
- Search: substring match against name and email (case-insensitive).
Unattributed activity
The Unattributed Activity view (linked from the page header) lists traffic Ultra could not tie back to a Hub user. Entries are grouped by MCP client principal so you can spot:- Shadow MCP clients running outside your managed gateway fleet.
- Misconfigured agents whose gateway owner has been removed or transferred.
- Service accounts that were never linked to a Hub identity.
Identity detail
Click any row to open the identity detail page. It pulls together the principal’s profile, recent activity, and security signals in a single view.Header
The page header carries the identity name with its assurance dot, the member badge and role, and the first-seen / last-seen window.Activity summary
A grid of six cards summarizes the identity’s last 30 days alongside a 90-day comparison:- Tool calls: total tool-call count.
- Servers accessed: distinct upstream MCP servers reached.
- Unique tools: distinct tool names invoked.
- Active days: days with at least one event.
- Guardrail blocks: deny outcomes, with the all-time total alongside the 30-day window.
- Attribution split: how many events were authenticated vs. gateway-attributed. Hover the split for a tooltip explaining the layered model.
Peak hours heatmap
A 7×24 grid (day of week × hour, UTC) shading the times the identity is most active over the last 30 days.Guardrail blocks by type
A breakdown of the identity’s denies grouped by guardrail, using the same guardrail names shown on the Guardrails catalog page (for example Parameter Validation, Credential Protection, or Tool & Server Isolation). Denies that cannot be mapped to a guardrail are bucketed under “unknown.”Anomaly findings
Recent anomaly findings that named the identity. Each finding shows the risk level, score, recommended action, and a relative timestamp.Anomaly attribution is approximate. Findings that named the identity by display name or email instead of its ID may not appear here. Treat this section as a strong hint rather than an exhaustive count.
IdentityLink across the dashboard
Wherever Ultra surfaces a principal (audit log rows, trace drawers, traffic tables, server detail user lists), it renders the same IdentityLink component:- Colored dot for assurance tier (green / amber / gray)
- Name (or email, or client principal as fallback)
- Role badge when the identity is a current member
- “Non-member” badge when the identity is outside the org
Who can see Identities
Every Hub member with read access to the organization (owner, admin, member, and viewer roles) can view the Identities list, the detail pages, and the unattributed view. There is no separate permission for Identities. If a user can see the audit log, they can see who generated each event. Membership changes (a member leaves the org, a new owner is invited) are reflected on the next page load. Past activity remains attributed to the historical identity even after the user has been removed, so audit history is preserved.Related
Audit Log
Per-event activity with IdentityLink on every row
Anomaly Detection
Findings that surface identity-level risk patterns
Guardrails
Policies that produce the block events attributed to each identity
RBAC
Roles and permissions that determine each identity’s relationship to the org