Reports Beta
Last modified on August 27, 2024
This feature is part of the Enterprise bundle. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.
This feature is currently in closed-access beta. Functionality and documentation may change. Contact StrongDM for more information.
The Reports Library offers rich dashboards providing in-depth analysis of access grants to resources, organization posture and risks, and more. These dashboards can help StrongDM administrators and auditors ensure compliance and detect potential issues. This article describes the dashboards available in the Reports Library.
All Dashboards
Dashboards may be viewed by users with the Administrator or Auditor permission level.
To view dashboards, log in to the Admin UI, and select Reports Library from the main navigation.
The All reports tab displays all dashboards currently available to your organization:
Click on a dashboard card to view its contents. For each dashboard, you can do the following:
- View all metrics specific to the dashboard.
- Display data based on a specified date range.
- Search the data in your dashboards by manipulating the filters, or click into specific items in widgets to filter the displayed information further.
The following capabilities are coming soon:
- Download data as a CSV or PDF file.
- Schedule delivery of the dashboard report to a specified destination at a later time, in a variety of formats (PDF, zipped CSV, PNG).
- Clear the cache and refresh dashboard data.
- Set email alerts for any individual widget.
Search and Filter
The Search field embedded into dashboard cards allows you to find and display specific data, such as the name of a user accessing a resource, a specific resource type, or a tag. You can enter any text or string into the Search field.
Similarly, filters allow you to display specific data, such as for date or temporary grants. Every active filter is presented at the top of each dashboard. You can select filters from multiple dashboard cards to narrow results even further.
When set, the filters are encoded into the dashboard’s URL (for example, https://app.strongdm.com/app/reports-library/reports/dashboard/auditor?Date=7+day
), enabling you to share or bookmark your filter configuration.
Sensitive Resource Settings
The Sensitive Resource Settings tab is where you define which resources are considered sensitive. You can use either a resource tag or resource name or substring to define a sensitive resource. After saving your sensitive resource configuration, any dashboard that you view filters resources based on your tag or substring value setting.
What is a sensitive resource?
A resource may be considered sensitive if it hosts, stores, or transmits sensitive data. Sensitive data is information that is stored, processed, or managed by an individual or organization; it is information that is confidential and only accessible to authorized users with proper permission, privileges, or clearance to view it.
Some examples of sensitive data include financial information, protected health information (PHI), credential data, customer information, trade information, proprietary information, government information, and certain types of personally identifiable information (for example, Social Security numbers and bank account numbers).
Because hosting, storing, or transmitting sensitive data can pose considerable security and legal risks to any organization, it’s important to determine criteria for what data is, identify resources that have it, determine which users can access it (via those resources), and know which users are actually accessing sensitive resources and when.
StrongDM already helps organizations maintain sensitive data protection through privileged access control to sensitive information systems and careful management of user authentication processes. StrongDM, however, does not know what is on your resources or how you classify them. It is up to you to identify sensitive resources. The Reports Library provides the tools that enable you to specify which of your organization’s resources are considered sensitive.
Designate sensitive resources by resource tag
When designating sensitive resources by resource tag, enter your desired tag in the format <KEY>=<VALUE>
(for example, sensitive=true
). The value is optional and may be left empty (for example, sensitive=
). You may enter up to five tags, and if a resource has any of the specified tags, it is designated as sensitive.
Tag details
- Maximum key length: 128 UTF-8 characters
- Maximum value length: 256 UTF-8 characters
- Maximum 50 tags per entity
- Allowed characters: letters, numbers, and spaces representable in UTF-8, and the following characters:
+ - = . _ : / @
- Case-sensitive:
team=StrongDM
is different fromteam=strongdm
- An entity can only have one value of a key at a time (for example, if you have two tags,
sensitive=yes
andsensitive=no
, you can only assign one of them to a resource).
Designate sensitive resources by resource name substring
When designating sensitive resources by resource name substring, enter any substring value (for example, mysql-02-sensitive
or Postgres-exampleapp-4
). The system checks for this value in all resource names and displays the matched resources in dashboards.
Access Workflows
The Access Workflows dashboard provides a summary of how temporary access granted by Access Workflows is being used in the organization.
With the Access Workflows dashboard, StrongDM admins can:
- View a summary of active access grants and access requests.
- Filter results based on status (pending, timed out, denied, or canceled) of access grants or access requests.
- Filter results to show access grants that were manually approved or automatically approved.
- Filter results to show access grants approved by a particular approver.
- Filter results to show only grants that are active or inactive.
- Search users, resources, workflows, and approvers by name, and display results accordingly.
- Audit all requests made by a user or for a resource or workflow.
- Select a time range of up to 13 months for review.
- Export data in the format that works for your organization.
The following Access Workflows metrics are available in exported dashboards.
Metric name | Description | Example |
---|---|---|
Access Requests | Number of access requests | 100 |
Active Grants | Number of active grants | 55 |
Approval Mode | Type of approval, either manual or automatic | 2024-08-07 18:24:00 |
Approver | Full name of the user who approved a request | Bob Belcher |
Automatically Approved | Number of requests automatically approved | 50 |
Canceled | Number of canceled requests | 0 |
Created Time | Date and time when the request for access was created | 2024-08-07 18:24:00 |
Deleted Time | Date and time when the request for access was deleted | 2024-08-08 19:20:00 |
Denied | Number of denied requests | 0 |
From Integrations | Number of requests from integrations | 1 |
Grants | Number of access grants | 1,305 |
ID | Identifier of workflow | 1092327429073100416 |
Inactive Grants | Number of inactive grants | 45 |
Manually Approved | Number of manually approved requests | 23 |
Name | Name of resource, role, or workflow | Web Staging |
Name Email | User name (first and last) and user email | Bob Belcher -- bob.belcher@strongdm.com |
Pending | Number of pending requests | 0 |
Reason | Reason for requesting access | Use DB please. |
Request Duration | Duration of the request | 2,700 |
Requests | Number of requests made or approved | 12 |
Resource | Name of resource | AWS Cloud |
Resource ID | Identifier of the resource | 669547882304912091 |
Start From Time | Start date and time of the request for access | 2023-10-04 12:22:04 |
Status | Status of request | Approved |
Status Time | Status time of request | 2024-08-07 18:24:00 |
Timed Out | Number of timed out requests | 3 |
Updated | Date and time of update | 2024-08-12,2024-08-14 |
User | Full name of the user | Alice Glick |
Valid Until Derived Time | Valid until derived date and time | 2023-10-04 12:22:04 |
Valid Until Time | Date and time when the request for access expires | 2023-10-04 12:22:04 |
Workflow | Name of workflow | RW Admin Workflow |
Auditor Insights
The Auditor Insights dashboard displays information about all the roles, users, resources, and tags in an environment. This information helps companies to run external audits and understand who has access to which resources. StrongDM admins can use this information to show compliance with auditor requirements, as well as to understand which areas of their organization have more access than needed.
With the Auditor Insights dashboard, StrongDM admins and auditors can:
- View the many relationships between roles, users, resources, and tags.
- View the roles assigned to a user or set of users.
- View the roles that grant access to a resource or set of resources.
- View the roles that grant access to resources with a tag or set of tags.
- View the resource types and specific resources that a user or set of users can access.
- View the users who have access to a resource or set of resources.
- View individual grants.
- Filter results for a specific time period.
- Filter results to show access information from only temporary grants or permanent grants.
- Click on any role, user name, resource name, resource type, tag, access type, or date to filter results even further.
- Export data in the format that works for your organization to meet audit needs.
The following Auditor Insights metrics are available in exported dashboards.
Metric name | Description | Example |
---|---|---|
ID | Resource ID, role ID, tag ID, or user ID | 5406577942789366843 |
Key Value | Tag key and value | environment=development |
Name | Resource name or role name | Example |
Name Email | User name (first and last) and user email | Bob Belcher -- bob.belcher@strongdm.com |
Resources | Number of resources | 194 |
Resources Count | Number of resources | 530 |
Roles Count | Number of roles | 33 |
Tags Count | Number of tags | 24 |
Temporary Grants Count | Number of temporary grants | 25 |
Users | Number of users | 100 |
Users Count | Number of users | 113 |
Executive Summary
The Executive Summary dashboard provides CISOs and security teams a high-level overview of security posture as it pertains to privileged access management. The dashboard shows how many users actually interact with the resources to which they have been granted access. Access grants, resources, users, and sessions are shown as numbers, while utilization of grants, resources, and users is shown as percentages. As an example, a high number of grants with a low resource utilization percentage could mean that users are overprovisioned for access.
With the Executive Summary dashboard, you can do the following:
- View summarized information about user and resource utilization and activity.
- Review utilization and activity trends over time in order to take corrective action, if needed.
- Select a time range of up to 13 months for review.
- Export data in the format that works for your organization.
The following Executive Summary metrics are available in exported dashboards.
Metric name | Description | Example |
---|---|---|
Act Res | Number of active resources | 100 |
Act User | Number of active users | 1,108 |
Date | Date (YYYY-MM-DD) | 2023-08-13 |
Grants | Number of access grants | 1,305 |
Grant Utilization | Percentage of all access grants (temporary and permanent) that had a query associated with them | 13% |
Latest Grant Utilization | Percentage of all access grants (temporary and permanent) that had a query associated with them as of the last refresh time | 80 |
Latest Resource Utilization | Percentage of active resources (resources with a grant) that had a query associated with them, as of the last refresh time | 56 |
Latest User Utilization | Percentage of active users (users with a grant) that had a query associated with them, as of the last refresh time | 75 |
Query Count | Number of queries run by the user | 9,000 |
Resource Utilization | Percentage of active resources (resources with a grant) that had a query associated with them | 70% |
Sessions | Number of queries run by the user | 142 |
User Utilization | Percentage of active users (users with a grant) that had a query associated with them | 85% |
Standing Access
The Standing Access report provides information about how users received access (such as through permanent grants from roles, or temporary grants from workflows or policies), how long users have had access to resources, and whether or not users have used the access they’ve been given. In addition, it provides suggested actions to take to reduce unused access. This information is useful for assessing security risks and determining which users actually need access to certain resources and whose access should be revoked or converted to temporary access.
The Standing Access report presents information in the following tabs: Scores, Users, Roles, Resources, and Remediations. By clicking into these Standing Access report tabs, StrongDM admins can view:
- Scores for Just-in-Time (JIT) access (that is, access granted upon request or on demand), role utilization, and overall access, and how they are calculated
- JIT Access and Role Utilization scores for each user
- Utilization score and JIT resource overlap for each role
- Distribution of your resources based on the origin of the grant
- Remediation steps to remove users and resources from roles in order to reduce standing access
Scores
The Scores area of the Standing Access report uses data from the access grants and user sessions from the last 90 days to calculate three scores for your organization: JIT Access Score, Role Utilization Score, and Overall Score. These scores can help you to quickly glean the amount of standing access granted to users (where standing access is a permanent access grant created when a user or a resource is assigned to a role) versus the amount of temporary access granted to a user (where access is given upon request and approval, for a specified, limited amount of time).
The JIT Access Score evaluates all of your grants, and calculates the percentage of grants that provided access on a temporary basis versus the grants derived from a role. A JIT Access Score of 100% means your organization has no standing access because all of your grants provide access on a temporary basis.
The Role Utilization Score calculates the percentage of permanent grants where the user accessed the resource. A Role Utilization Score of 100% means all of your permanent grants are utilized.
The Overall Score is an average of the JIT Access Score and Role Utilization Score.
The Standing Access Report is meant to assist StrongDM administrators to reduce the amount of standing access by changing permanent grants from roles into temporary grants from workflows and policies, particularly those permanent grants that often go unused.
Standing Access metrics
The following Standing Access metrics are available in exported dashboards.
Metric name | Description | Example |
---|---|---|
Cumulative Standing Access | Cumulative number of days of standing access to the resource | 56 |
Datasource ID | Identifier of the datasource | 5841011655724994212 |
Datasource Name | Name of the datasource | Dev-admin |
Query Count | Number of queries run by the user | 9,000 |
Sessions | Number of sessions | 300 |
Tags ID | Identifier for tag | 1143611 |
Tags Namevalue | Tag key and value | Environment=Production |
Users ID | Identifier of the user | 925244649940379957 |
Users Name | First and last name of user | Bob Belcher |
User Activity
The User Activity dashboard provides details about user sessions. Admins can use the dashboard to troubleshoot issues with users or resources by filtering to the relevant time and context. In additions, admins can use it to get a detailed understanding of what users access or who is accessing specific resources and resource types.
With the User Activity dashboard, StrongDM admins can:
- Get an at-a-glance view of sessions within StrongDM.
- Find problematic sessions based on concurrency and length of sessions.
- Filter results by user, resources, resource types, and tags to review specific session activities.
- Filter results to show queries for sensitive resources only.
- View individual sessions and grants.
- Select a time range of up to 13 months for review.
- Export data in the format that works for your organization.
The following User Activity metrics are available in exported dashboards.
Metric name | Description | Example |
---|---|---|
Cumulative Query Counts | Cumulative number of queries run by the user | 100 |
ID | Identifier of resource | 1092327429073100416 |
Is Sensitive Filter Value | Boolean value indicating whether the session is for a sensitive resource (true ) or a non-sensitive resource (false ) | true |
Name | Name of resource | Web Staging |
Non Sensitive Query Counts | Number of queries run on non-sensitive resources | 100 |
Num | Number of sessions | 20 |
Query Counts | Number of queries run by the user | 9,000 |
Resources | Number of resources | 194 |
Sensitive | Number of sensitive resources accessed | 101 |
Sensitive Resources | Number of sensitive resources accessed | 101 |
Sensitive Sessions | Number of sessions in which sensitive resources were being accessed | 2 |
Sessions | Number of sessions | 142 |
Tags ID | Identifier for tag | 1143611 |
Tags Key Value | Tag key and value | Environment=Production |
Time End | Date and time when the user session ended | 2024-08-06 11:29:40 |
Time Start | Date and time when the user session started | 2024-08-05 20:11:20 |
Users | Number of users | 100 |
Users ID | Identifier of the user | 925244649940379957 |
Users Name Email | Full name and email address of the user | Bob Belcher -- bob.belcher@strongdm.com |
Utilization
The Utilization dashboard provides information about the activity and inactivity of users and resources within your StrongDM environment. Admins can use this dashboard to identify stale or unused users, resources, and roles.
With the Utilization dashboard, StrongDM admins can view:
- User activity by IP address
- Latest query per user
- Latest query per resource
- Roles that are active but are unassigned to resources
- Resources that have no roles assigned to them
- Users who have no roles assigned to them
- Resources that have never had activity
- Users who have never had activity/sessions
- All the above information for various date ranges, including:
- Greater than 90 days ago
- Less than 90 days ago
- Less than 30 days ago
- Less than 7 days ago
- Less than 1 day ago
The following Utilization metrics are available in exported dashboards.
Metric name | Description | Example |
---|---|---|
Created Time | Date and time when the user was created in StrongDM | 2024-03-13 19:25:11 |
ID | Identifier of resource, role, tag, user, or workflow | 913974183375011223 |
IPs | IP address of user | 12.123.123.123 |
Last Login Time | Date and time of the user’s last login to StrongDM | 2024-08-19 23:10:30 |
Last Query Date | Date of the user’s last query | 2024-08-05 |
Last Query Time | Date and time of the user’s last query | 2024-08-05 23:00:15 |
Latest Session Time | Date and time of the user’s latest session | 2024-06-27 07:07:03 |
List of Source | Source of user activity, either web (Admin UI) or native (desktop app) | web |
Name | Name of resource, role, tag, user, or workflow | Dev Role |
Name Email | User name (first and last) and user email | Bob Belcher -- bob.belcher@strongdm.com |
All Metrics
The following table describes all metrics found in exported dashboards.
Metric name | Description | Example | Dashboard(s) |
---|---|---|---|
Access Requests | Number of access requests | 100 | Access Workflows |
Act Res | Number of active resources | 100 | Executive Summary |
Act User | Number of active users | 1,108 | Executive Summary |
Active Grants | Number of active grants | 55 | Access Workflows |
Approval Mode | Type of approval, either manual or automatic | 2024-08-07 18:24:00 | Access Workflows |
Approver | Full name of the user who approved a request | Bob Belcher | Access Workflows |
Automatically Approved | Number of requests automatically approved | 50 | Access Workflows |
Canceled | Number of canceled requests | 0 | Access Workflows |
Created Time | Date and time when the user or the user’s request for access was created | 2024-08-07 18:24:00 | Access Workflows, Utilization |
Cumulative Query Counts | Cumulative number of queries run by the user | 100 | User Activity |
Cumulative Standing Access | Number of users who have standing access to the resource | 56 | Standing Access |
Datasource ID | Identifier of the datasource | 5841011655724994212 | Standing Access, User Activity |
Datasource Name | Name of the datasource | Dev-admin | Standing Access |
Date | Date (YYYY-MM-DD) | 2023-08-13 | Executive Summary |
Deleted Time | Date and time when the request for access was deleted | 2024-08-08 19:20:00 | Access Workflows |
Denied | Number of denied requests | 0 | Access Workflows |
From Integrations | Number of requests from integrations | 1 | Access Workflows |
Grants | Number of access grants | 1,305 | Access Workflows, Executive Summary |
Grant Utilization | Percentage of all access grants (temporary and permanent) that had a query associated with them | 13% | Executive Summary |
ID | Identifier of resource, role, tag, user, or workflow | 1092327429073100416 | Access Workflows, Auditor Insights, User Activity, Utilization |
Inactive Grants | Number of inactive grants | 45 | Access Workflows |
IPs | IP address of user | 12.123.123.123 | Utilization |
Is Sensitive Filter Value | Boolean value indicating whether the session is for a sensitive resource (true ) or a non-sensitive resource (false ) | true | User Activity |
Key Value | Tag key and value | environment=development | Auditor Insights |
Last Login Time | Date and time of the user’s last login to StrongDM | 2024-08-19 23:10:30 | Utilization |
Last Query Date | Date of the user’s last query | 2024-08-05 | Utilization |
Last Query Time | Date and time of the user’s last query | 2024-08-05 23:00:15 | Utilization |
Latest Grant Utilization | Percentage of all access grants (temporary and permanent) that had a query associated with them as of the last refresh time | 80 | Executive Summary |
Latest Resource Utilization | Percentage of active resources (resources with a grant) that had a query associated with them, as of the last refresh time | 56 | Executive Summary |
Latest Session Time | Date and time of the user’s latest session | 2024-06-27 07:07:03 | Utilization |
Latest User Utilization | Percentage of active users (users with a grant) that had a query associated with them, as of the last refresh time | 75 | Executive Summary |
List of Source | Source of user activity, either web (Admin UI) or native (desktop app) | web | Utilization |
Manually Approved | Number of manually approved requests | 23 | Access Workflows |
Name | Name of resource, role, or workflow | Web Staging | Access Workflows, Auditor Insights, User Activity, Utilization |
Name Email | User name (first and last) and user email | Bob Belcher -- bob.belcher@strongdm.com | Access Workflows, Auditor Insights, Utilization |
Non Sensitive Query Counts | Number of queries run on non-sensitive resources | 100 | User Activity |
Num | Number of sessions | 20 | User Activity |
Pending | Number of pending requests | 0 | Access Workflows |
Query Count | Number of queries run by the user | 9,000 | Executive Summary, Standing Access |
Query Counts | Number of queries run by the user | 9,000 | User Activity |
Request Duration | Duration of the request | 2,700 | Access Workflows |
Requests | Number of requests made or approved | 12 | Access Workflows |
Resource ID | Identifier of the resource | 669547882304912091 | Access Workflows |
Resource Utilization | Percentage of active resources (resources with a grant) that had a query associated with them | 70% | Executive Summary |
Resources | Number of resources | 194 | Auditor Insights, User Activity |
Resources Count | Number of resources | 530 | Auditor Insights |
Roles Count | Number of roles | 33 | Auditor Insights |
Sensitive | Number of sensitive resources accessed | 101 | User Activity |
Sensitive Resources | Number of sensitive resources accessed | 101 | User Activity |
Sensitive Sessions | Number of sessions in which sensitive resources were being accessed | 2 | User Activity |
Sessions | Number of sessions | 142 | Executive Summary, User Activity |
Start From Time | Start date and time of the request for access | 2023-10-04 12:22:04 | Access Workflows |
Status | Status of request | Approved | Access Workflows |
Status Time | Status time of request | 2024-08-07 18:24:00 | Access Workflows |
Tags Count | Number of tags | 24 | Auditor Insights |
Tags ID | Identifier for tag | 1143611 | Standing Access, User Activity |
Tags Key Value | Tag key and value | Environment=Production | User Activity |
Tags Namevalue | Tag key and value | Environment=Production | Standing Access |
Temporary Grants Count | Number of temporary grants | 25 | Auditor Insights |
Time End | Date and time when the user session ended | 2024-08-06 11:29:40 | User Activity |
Timed Out | Number of timed out requests | 3 | Access Workflows |
Time Start | Date and time when the user session started | 2024-08-05 20:11:20 | User Activity |
User | Full name of the user | Alice Glick | Access Workflows |
User Utilization | Percentage of active users (users with a grant) that had a query associated with them | 85% | Executive Summary |
Users | Number of users | 100 | Auditor Insights, User Activity |
Users Count | Number of users | 100 | Auditor Insights |
Users ID | Identifier of the user | 925244649940379957 | Standing Access, User Activity |
Users Name | First and last name of user | Bob Belcher | Standing Access |
Users Name Email | Full name and email address of the user | Bob Belcher -- bob.belcher@strongdm.com | User Activity |
Valid Until Derived Time | Valid until derived date and time | 2023-10-04 12:22:04 | Access Workflows |
Valid Until Time | Date and time when the request for access expires | 2023-10-04 12:22:04 | Access Workflows |
Workflow | Name of workflow | RW Admin Workflow | Access Workflows |