Reports Library

Last modified on November 1, 2023

The Reports Library offers a suite of reports providing in-depth analysis of access grants to resources and usage of resources within your organization. These reports can help StrongDM administrators ensure compliance and detect potential issues. This article describes how to use and view all the reports available in the Reports Library.

All Reports

To view reports, log in to the Admin UI, and select Reports Library from the main navigation. The All reports tab displays all reports currently available to your organization:

Click on each report name to view its contents. With each report, you can do the following:

  • View all metrics specific to the report.
  • Export the report as CSV.
  • Search the report.
  • Filter by type, tags, permission level, and/or user by using the filter buttons or by typing into the Search field.
  • If viewing a report related to sensitive resources, edit the sensitive resource settings.
Admin UI Reports Library
Admin UI Reports Library

Report generation

Metrics for all reports are refreshed every 24 hours. The date and time of the last refresh is given at the top of the page.

Export reports as CSV

You may view reports in the Admin UI, or you may download them in CSV format by clicking the Export CSV button on each report page.

Sensitive Resources

What is a sensitive resource? A resource may be considered sensitive if it hosts, stores, or transmits sensitive data. Sensitive data is information that is stored, processed, or managed by an individual or organization that is confidential and only accessible to authorized users with proper permission, privileges, or clearance to view it.

Some examples of sensitive data include financial information, protected health information (PHI), credential data, customer information, trade information, proprietary information, government information, and certain types of personally identifiable information (for example, social security numbers and bank account numbers).

Because hosting, storing, or transmitting sensitive data can pose considerable security and legal risks to any organization, it’s important to identify which resources contain it, to establish criteria for what qualifies as sensitive data, to determine all the users who have access to it, and lastly, to know which users are accessing sensitive resources and when.

StrongDM already helps organizations maintain sensitive data protection through privileged access control to sensitive information systems and careful management of user authentication processes. StrongDM, however, does not know what is on your resources or how you classify them. It is up to you to identify sensitive resources. The Reports Library provides the tools that enable you to specify which of your organization’s resources are considered sensitive.

Sensitive Resource Settings

The Sensitive Resource Settings tab is where you define which resources are considered sensitive. You can use either a resource tag or resource name or substring to define a sensitive resource.

After defining sensitive resources, the Sensitive Resources and Sensitive Resources Recent Grants reports are generated and displayed. Note that it can take up to 10 minutes for them to display. After that, metrics refresh every 24 hours.

After saving your sensitive resource configuration, any report that you view filters resources based on your tag or substring value setting.

Designate sensitive resources by resource tag

When designating sensitive resources by resource tag, enter your desired tag in the format <KEY>=<VALUE> (for example, sensitive=true). The value is optional and may be left empty. You may enter up to five tags, and if a resource has any of the specified tags, it is designated as sensitive.

Designate Sensitive Resources With Resource Tags
Designate Sensitive Resources With Resource Tags

Tag details

  • Maximum key length: 128 UTF-8 characters
  • Maximum value length: 256 UTF-8 characters
  • Maximum 50 tags per entity
  • Allowed characters: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @
  • Case-sensitive: team=StrongDM is different from team=strongdm
  • An entity can only have one value of a key at a time (for example, if you have two tags, sensitive=yes and sensitive=no, you can only assign one of them to a resource).

Designate sensitive resources by resource name substring

When designating sensitive resources by resource name substring, enter any substring value (for example, mysql-02-sensitive or Postgres-exampleapp-4). The system checks for this value in all resource names and displays the matched resources in reports.

Designate Sensitive Resources With Resource Name Substring
Designate Sensitive Resources With Resource Name Substring

Sensitive Resources Report

The Sensitive Resources report provides metrics that quickly tell admins about sensitive resources and their activities, such as whether access to the resource has been granted, which users have access to the resource and have accessed it, the date and time of the user’s last session, and more. This report provides point-in-time information. It is accurate at the time it is generated but does not reflect further changes until it is regenerated.

Sensitive Resources Report in the Admin UI
Sensitive Resources Report in the Admin UI

In order to run this report, you must first update Sensitive Resource Settings so that the system knows which resources are considered sensitive. After saving your sensitive resource settings, any report that you view filters resources based on your tag or substring value setting. You may change the filter setting at any time by clicking edit.

Sensitive Resources Filter Edit Button
Sensitive Resources Filter Edit Button

The Sensitive Resources report includes the following report metrics:

  • Access
  • Date Access Granted
  • Granted By
  • Grantor
  • Last Session
  • Last Session ID
  • Resource Name
  • Resource Tags
  • Resource Type
  • Times Accessed In Last 90 Days
  • User Email
  • User First Name
  • User Last Name
  • User Permission Level

Sensitive Resources Recent Grants Report

The Sensitive Resources Recent Grants report provides information about sensitive resources that have received access grants in the last 90 days. This report helps admins to quickly view access grants to the organization’s sensitive resources at a resource level. This report provides point-in-time information. It is accurate at the time it is generated but does not reflect further changes until it is regenerated.

Sensitive Resources Recent Grants Report in the Admin UI
Sensitive Resources Recent Grants Report in the Admin UI

In order to run this report, you must first update Sensitive Resource Settings so that the system knows which resources are considered sensitive. After saving your sensitive resource settings, any report that you view filters resources based on your tag or substring value setting. You may change the filter setting at any time by clicking edit.

Sensitive Resources Filter Edit Button
Sensitive Resources Filter Edit Button

The Sensitive Resources Recent Grants report includes the following report metrics:

  • Access
  • Date Access Granted
  • Granted By
  • Grantor
  • Last Session
  • Last Session ID
  • Resource Name
  • Resource Tags
  • Resource Type
  • Times Accessed In Last 90 Days
  • User Email
  • User First Name
  • User Last Name
  • User Permission Level

Access Review Report

The Access Review report provides information about resources that can be accessed by each StrongDM role, including the role name, whether the role that is used to grant access is managed by StrongDM or an identity provider, the number of members assigned to the role, and how many times resources were accessed. This report provides point-in-time information. It is accurate at the time it is generated but does not reflect further changes until it is regenerated.

Access Review Report in the Admin UI
Access Review Report in the Admin UI

The Access Review report includes the following report metrics:

  • # of Members
  • Last Session
  • Last Session ID
  • Resource Name
  • Resource Tags
  • Resource Type
  • Role Name
  • Times Accessed In Last 90 Days
  • User Email
  • User First Name
  • User Last Name

Least Privilege Report

Applying the concept of least privilege to your organization means limiting access to resources to only the users who need it. The Least Privilege report provides information about access grants that have been inactive for a certain period of time, displaying information such as the user’s name and permission level, the name and type of resource they were granted access, and the last time they accessed it.

This report allows admins to easily see which users are not using the resources available to them, and assess whether or not their access should be revoked. This report provides point-in-time information. It is accurate at the time it is generated but does not reflect further changes until it is regenerated.

Least Privilege Report in the Admin UI
Least Privilege Report in the Admin UI

The Least Privilege report includes the following report metrics:

  • Granted By
  • Grantor
  • Resource Name
  • Resource Type
  • User Email
  • User First Name
  • User Last Name
  • User Permission Level

Least Privilege Report Options

The Least Privilege report shows data for an inactivity period, from 1 to 90 days, that is specified in the Report Options at the top of the page. If, for example, you only want to know which access grants have not been used in the past month, you can edit the report options to display data for the last 30 or 31 days.

To change the inactivity period, click edit. In the Report Options area that displays, set a numeric value, from 1 to 90, in the Minimum days since last use field. If no inactivity period value is saved, the report defaults to 90 days. Note that modifying the number of days causes the Least Privilege report to be regenerated for all users in your organization.

Least Privilege Report Options
Least Privilege Report Options

Report Metrics

The following table describes the metrics found in reports.

Metric nameDescriptionExampleReport(s)
# of MembersNumber of users and service accounts that can access the resource via role membership5Access Review
AccessStatus of user’s access to the resource; possible values are Active or ExpiredActiveSensitive Resources, Sensitive Resources Recent Grants
Date Access GrantedDate and time in UTC (Coordinated Universal Time) of the access grant2023-02-17T19:20:59ZSensitive Resources, Sensitive Resources Recent Grants
Granted ByType of access grant allowing the user to access the resource; possible values are Role with the name of the role that granted access, or Temporary Access to indicate a temporary access grantRole:SuperAdmin or Temporary AccessLeast Privilege, Sensitive Resources, Sensitive Resources Recent Grants
GrantorName of organization or identity provider that granted access to the resourceStrongDMAccess Review, Least Privilege, Sensitive Resources, Sensitive Resources Recent Grants
Last SessionDate and time in UTC of the user’s last session when accessing the resource2023-02-17T19:20:59ZAccess Review, Sensitive Resources, Sensitive Resources Recent Grants
Last Session IDIdentifier of the last query made by the user on the resource02NPmuIhCFNvQXs0wxukV0UhZrA9Access Review, Sensitive Resources, Sensitive Resources Recent Grants
Resource NameDisplay name of the resourceexampleresourcenameAccess Review, Least Privilege, Sensitive Resources, Sensitive Resources Recent Grants
Resource TagsTag(s) assigned to the resource, set in brackets in key=value format[env=dev]Access Review, Sensitive Resources, Sensitive Resources Recent Grants
Resource TypeType of that particular resource (for example, postgres is a type of database resource)postgresAccess Review, Least Privilege, Sensitive Resources, Sensitive Resources Recent Grants
Role NameName of the role that grants access to the resourceSuper AdminAccess Review
Times Accessed In Last 90 DaysNumber of times the user accessed the resource in the last 90 days121Access Review, Sensitive Resources, Sensitive Resources Recent Grants
User EmailEmail address of the user accessing the resourcealice.glick@strongdm.comAccess Review, Sensitive Resources, Sensitive Resources Recent Grants
User First NameFirst name of the user accessing the resourceAliceAccess Review, Sensitive Resources, Sensitive Resources Recent Grants
User Last NameLast name/surname/family name of the user accessing the resourceGlickAccess Review, Sensitive Resources, Sensitive Resources Recent Grants
User Permission LevelPermission level of the user accessing the resource (for example, Administrator, Team Leader, Database Administrator, or User)adminSensitive Resources, Sensitive Resources Recent Grants

Search Reports

The Search field allows you to find information in a report, such as the name of a user accessing a resource, or a specific resource type. You can either type into the Search field or use the Type, Tags, or Permission level filter drop-down menus to narrow your search. The table header displays the number of results returned by the active search and filter query.

You can enter any text or string into the Search field in order to search the first column of a report. For example, in the Sensitive Resources report in which the first column is Resource Name, typing into the Search field searches against the resource names found in the report.

Report filters

Report filters display report entries according to the kind of resource, assigned resource tags, and/or the permission level of the user accessing resources.

You can type or copy/paste the following filters into the Search field, with or without other text. Do not use quotes or tick marks.

FilterDescriptionExample search
grantedBy:<ROLE_ID_OR_TEMPORARY_ACCESS>Shows resources that are accessed via role membership or temporary accessgrantedBy:r-5a3a0d8161b8bb6e finds all resources that are accessed via the specified role. grantedBy:temporary-access finds all resources that are accessed via a temporary access grant.
grantor:<STRONGDM_OR_IDP>Shows who managed the access grant (StrongDM or an identity provider)grantor:Okta finds resources that are granted access by Okta.
permissionLevel:<PERMISSION_LEVEL>Shows users with the specified permission level in the reportpermissionLevel:admin finds all resources that were accessed by a user with the Account Administrator permission level
resourceTags:title=valueShows resources with the specified tag in the report; supports wildcards (*)tags:env=prod or tags:env=pr* finds all resources with the env=prod tag; tag values containing commas must be inside quotes (for example, tags:region="useast,uswest")
resourceType:<RESOURCE_TYPE>Shows specified types of resources in the reportIf searching datasources, resourceType:mysql displays all MySQL resources in the report
user:<USER_NAME>Shows the specified useruser:alice.glick finds user Alice Glick

Filter buttons

Alternatively, you may narrow the search results by selecting one or more of the following filter buttons instead of typing it out:

  • Access automatically populates filters based on whether the user’s access to the resource is active or expired.
  • Granted By automatically populates filters based on how access was granted (for example, by a role or via temporary access).
  • Grantor automatically populates filters based on who managed the access grant (StrongDM or an identity provider).
  • Resource type automatically populates filters based on the type of resource.
  • Resource Tags automatically populates filters based on assigned resource tags.
  • User automatically populates filters based on the specified user name.
  • User Permission Level automatically populates filters based on the permission level of the user who accessed the resource.

Save your favorite search and filter queries

The parameters of your search and filter queries are reflected in the page URL, allowing you to bookmark your favorite searches and filters in your web browser.

For example, when viewing the Sensitive Resources Report and filtering resources to find only the MySQL resource type, the URL becomes https://app.strongdm.com/app/report-library/reports/sensitive-resources-report?resourceType=mysql.

Additional Information

The Reports Library is only available as part of the Enterprise bundle. If you are unable to view the Reports Library, the Enterprise bundle is not enabled for your organization.

Top