Reports Library
Last modified on November 1, 2023
The Reports Library offers a suite of reports providing in-depth analysis of access grants to resources and usage of resources within your organization. These reports can help StrongDM administrators ensure compliance and detect potential issues. This article describes how to use and view all the reports available in the Reports Library.
This feature is part of the Enterprise bundle. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.
All Reports
To view reports, log in to the Admin UI, and select Reports Library from the main navigation. The All reports tab displays all reports currently available to your organization:
- Access Review report
- Least Privilege report
- Sensitive Resources report
- Sensitive Resources Recent Grants report
Click on each report name to view its contents. With each report, you can do the following:
- View all metrics specific to the report.
- Export the report as CSV.
- Search the report.
- Filter by type, tags, permission level, and/or user by using the filter buttons or by typing into the Search field.
- If viewing a report related to sensitive resources, edit the sensitive resource settings.
Report generation
Metrics for all reports are refreshed every 24 hours. The date and time of the last refresh is given at the top of the page.
Export reports as CSV
You may view reports in the Admin UI, or you may download them in CSV format by clicking the Export CSV button on each report page.
Sensitive Resources
What is a sensitive resource? A resource may be considered sensitive if it hosts, stores, or transmits sensitive data. Sensitive data is information that is stored, processed, or managed by an individual or organization that is confidential and only accessible to authorized users with proper permission, privileges, or clearance to view it.
Some examples of sensitive data include financial information, protected health information (PHI), credential data, customer information, trade information, proprietary information, government information, and certain types of personally identifiable information (for example, social security numbers and bank account numbers).
Because hosting, storing, or transmitting sensitive data can pose considerable security and legal risks to any organization, it’s important to identify which resources contain it, to establish criteria for what qualifies as sensitive data, to determine all the users who have access to it, and lastly, to know which users are accessing sensitive resources and when.
StrongDM already helps organizations maintain sensitive data protection through privileged access control to sensitive information systems and careful management of user authentication processes. StrongDM, however, does not know what is on your resources or how you classify them. It is up to you to identify sensitive resources. The Reports Library provides the tools that enable you to specify which of your organization’s resources are considered sensitive.
Sensitive Resource Settings
The Sensitive Resource Settings tab is where you define which resources are considered sensitive. You can use either a resource tag or resource name or substring to define a sensitive resource.
After defining sensitive resources, the Sensitive Resources and Sensitive Resources Recent Grants reports are generated and displayed. Note that it can take up to 10 minutes for them to display. After that, metrics refresh every 24 hours.
After saving your sensitive resource configuration, any report that you view filters resources based on your tag or substring value setting.
Designate sensitive resources by resource tag
When designating sensitive resources by resource tag, enter your desired tag in the format <KEY>=<VALUE> (for example, sensitive=true). The value is optional and may be left empty. You may enter up to five tags, and if a resource has any of the specified tags, it is designated as sensitive.
Tag details
- Maximum key length: 128 UTF-8 characters
- Maximum value length: 256 UTF-8 characters
- Maximum 50 tags per entity
- Allowed characters: letters, numbers, and spaces representable in UTF-8, and the following characters:
+ - = . _ : / @ - Case-sensitive:
team=StrongDMis different fromteam=strongdm - An entity can only have one value of a key at a time (for example, if you have two tags,
sensitive=yesandsensitive=no, you can only assign one of them to a resource).
Designate sensitive resources by resource name substring
When designating sensitive resources by resource name substring, enter any substring value (for example, mysql-02-sensitive or Postgres-exampleapp-4). The system checks for this value in all resource names and displays the matched resources in reports.
Sensitive Resources Report
The Sensitive Resources report provides metrics that quickly tell admins about sensitive resources and their activities, such as whether access to the resource has been granted, which users have access to the resource and have accessed it, the date and time of the user’s last session, and more. This report provides point-in-time information. It is accurate at the time it is generated but does not reflect further changes until it is regenerated.
In order to run this report, you must first update Sensitive Resource Settings so that the system knows which resources are considered sensitive. After saving your sensitive resource settings, any report that you view filters resources based on your tag or substring value setting. You may change the filter setting at any time by clicking edit.
The Sensitive Resources report includes the following report metrics:
- Access
- Date Access Granted
- Granted By
- Grantor
- Last Session
- Last Session ID
- Resource Name
- Resource Tags
- Resource Type
- Times Accessed In Last 90 Days
- User Email
- User First Name
- User Last Name
- User Permission Level
Sensitive Resources Recent Grants Report
The Sensitive Resources Recent Grants report provides information about sensitive resources that have received access grants in the last 90 days. This report helps admins to quickly view access grants to the organization’s sensitive resources at a resource level. This report provides point-in-time information. It is accurate at the time it is generated but does not reflect further changes until it is regenerated.
In order to run this report, you must first update Sensitive Resource Settings so that the system knows which resources are considered sensitive. After saving your sensitive resource settings, any report that you view filters resources based on your tag or substring value setting. You may change the filter setting at any time by clicking edit.
The Sensitive Resources Recent Grants report includes the following report metrics:
- Access
- Date Access Granted
- Granted By
- Grantor
- Last Session
- Last Session ID
- Resource Name
- Resource Tags
- Resource Type
- Times Accessed In Last 90 Days
- User Email
- User First Name
- User Last Name
- User Permission Level
Access Review Report
The Access Review report provides information about resources that can be accessed by each StrongDM role, including the role name, whether the role that is used to grant access is managed by StrongDM or an identity provider, the number of members assigned to the role, and how many times resources were accessed. This report provides point-in-time information. It is accurate at the time it is generated but does not reflect further changes until it is regenerated.
The Access Review report includes the following report metrics:
- # of Members
- Last Session
- Last Session ID
- Resource Name
- Resource Tags
- Resource Type
- Role Name
- Times Accessed In Last 90 Days
- User Email
- User First Name
- User Last Name
Least Privilege Report
Applying the concept of least privilege to your organization means limiting access to resources to only the users who need it. The Least Privilege report provides information about access grants that have been inactive for a certain period of time, displaying information such as the user’s name and permission level, the name and type of resource they were granted access, and the last time they accessed it.
This report allows admins to easily see which users are not using the resources available to them, and assess whether or not their access should be revoked. This report provides point-in-time information. It is accurate at the time it is generated but does not reflect further changes until it is regenerated.
The Least Privilege report includes the following report metrics:
- Granted By
- Grantor
- Resource Name
- Resource Type
- User Email
- User First Name
- User Last Name
- User Permission Level
Least Privilege Report Options
The Least Privilege report shows data for an inactivity period, from 1 to 90 days, that is specified in the Report Options at the top of the page. If, for example, you only want to know which access grants have not been used in the past month, you can edit the report options to display data for the last 30 or 31 days.
To change the inactivity period, click edit. In the Report Options area that displays, set a numeric value, from 1 to 90, in the Minimum days since last use field. If no inactivity period value is saved, the report defaults to 90 days. Note that modifying the number of days causes the Least Privilege report to be regenerated for all users in your organization.
Report Metrics
The following table describes the metrics found in reports.
| Metric name | Description | Example | Report(s) |
|---|---|---|---|
| # of Members | Number of users and service accounts that can access the resource via role membership | 5 | Access Review |
| Access | Status of user’s access to the resource; possible values are Active or Expired | Active | Sensitive Resources, Sensitive Resources Recent Grants |
| Date Access Granted | Date and time in UTC (Coordinated Universal Time) of the access grant | 2023-02-17T19:20:59Z | Sensitive Resources, Sensitive Resources Recent Grants |
| Granted By | Type of access grant allowing the user to access the resource; possible values are Role with the name of the role that granted access, or Temporary Access to indicate a temporary access grant | Role:SuperAdmin or Temporary Access | Least Privilege, Sensitive Resources, Sensitive Resources Recent Grants |
| Grantor | Name of organization or identity provider that granted access to the resource | StrongDM | Access Review, Least Privilege, Sensitive Resources, Sensitive Resources Recent Grants |
| Last Session | Date and time in UTC of the user’s last session when accessing the resource | 2023-02-17T19:20:59Z | Access Review, Sensitive Resources, Sensitive Resources Recent Grants |
| Last Session ID | Identifier of the last query made by the user on the resource | 02NPmuIhCFNvQXs0wxukV0UhZrA9 | Access Review, Sensitive Resources, Sensitive Resources Recent Grants |
| Resource Name | Display name of the resource | exampleresourcename | Access Review, Least Privilege, Sensitive Resources, Sensitive Resources Recent Grants |
| Resource Tags | Tag(s) assigned to the resource, set in brackets in key=value format | [env=dev] | Access Review, Sensitive Resources, Sensitive Resources Recent Grants |
| Resource Type | Type of that particular resource (for example, postgres is a type of database resource) | postgres | Access Review, Least Privilege, Sensitive Resources, Sensitive Resources Recent Grants |
| Role Name | Name of the role that grants access to the resource | Super Admin | Access Review |
| Times Accessed In Last 90 Days | Number of times the user accessed the resource in the last 90 days | 121 | Access Review, Sensitive Resources, Sensitive Resources Recent Grants |
| User Email | Email address of the user accessing the resource | alice.glick@strongdm.com | Access Review, Sensitive Resources, Sensitive Resources Recent Grants |
| User First Name | First name of the user accessing the resource | Alice | Access Review, Sensitive Resources, Sensitive Resources Recent Grants |
| User Last Name | Last name/surname/family name of the user accessing the resource | Glick | Access Review, Sensitive Resources, Sensitive Resources Recent Grants |
| User Permission Level | Permission level of the user accessing the resource (for example, Administrator, Team Leader, Database Administrator, or User) | admin | Sensitive Resources, Sensitive Resources Recent Grants |
Search Reports
The Search field allows you to find information in a report, such as the name of a user accessing a resource, or a specific resource type. You can either type into the Search field or use the Type, Tags, or Permission level filter drop-down menus to narrow your search. The table header displays the number of results returned by the active search and filter query.
Free-text search
You can enter any text or string into the Search field in order to search the first column of a report. For example, in the Sensitive Resources report in which the first column is Resource Name, typing into the Search field searches against the resource names found in the report.
Report filters
Report filters display report entries according to the kind of resource, assigned resource tags, and/or the permission level of the user accessing resources.
You can type or copy/paste the following filters into the Search field, with or without other text. Do not use quotes or tick marks.
| Filter | Description | Example search |
|---|---|---|
grantedBy:<ROLE_ID_OR_TEMPORARY_ACCESS> | Shows resources that are accessed via role membership or temporary access | grantedBy:r-5a3a0d8161b8bb6e finds all resources that are accessed via the specified role. grantedBy:temporary-access finds all resources that are accessed via a temporary access grant. |
grantor:<STRONGDM_OR_IDP> | Shows who managed the access grant (StrongDM or an identity provider) | grantor:Okta finds resources that are granted access by Okta. |
permissionLevel:<PERMISSION_LEVEL> | Shows users with the specified permission level in the report | permissionLevel:admin finds all resources that were accessed by a user with the Account Administrator permission level |
resourceTags:title=value | Shows resources with the specified tag in the report; supports wildcards (*) | tags:env=prod or tags:env=pr* finds all resources with the env=prod tag; tag values containing commas must be inside quotes (for example, tags:region="useast,uswest") |
resourceType:<RESOURCE_TYPE> | Shows specified types of resources in the report | If searching datasources, resourceType:mysql displays all MySQL resources in the report |
user:<USER_NAME> | Shows the specified user | user:alice.glick finds user Alice Glick |
Filter buttons
Alternatively, you may narrow the search results by selecting one or more of the following filter buttons instead of typing it out:
- Access automatically populates filters based on whether the user’s access to the resource is active or expired.
- Granted By automatically populates filters based on how access was granted (for example, by a role or via temporary access).
- Grantor automatically populates filters based on who managed the access grant (StrongDM or an identity provider).
- Resource type automatically populates filters based on the type of resource.
- Resource Tags automatically populates filters based on assigned resource tags.
- User automatically populates filters based on the specified user name.
- User Permission Level automatically populates filters based on the permission level of the user who accessed the resource.
Save your favorite search and filter queries
The parameters of your search and filter queries are reflected in the page URL, allowing you to bookmark your favorite searches and filters in your web browser.
For example, when viewing the Sensitive Resources Report and filtering resources to find only the MySQL resource type, the URL becomes https://app.strongdm.com/app/report-library/reports/sensitive-resources-report?resourceType=mysql.
Additional Information
The Reports Library is only available as part of the Enterprise bundle. If you are unable to view the Reports Library, the Enterprise bundle is not enabled for your organization.