Entitlements Visibility
Last modified on August 4, 2025
This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.
Overview
The StrongDM Admin UI provides admins with a comprehensive view of all entitlements that exist for a user. Entitlements visibility enables admins to know who has access to which resources and why at any given point in time. In the case of entitlements, access to a resource means being able to connect to a resource (as opposed to being able to request access to a resource).
Entitlements for users are listed per user in the Principals > Users section of the Admin UI, in a new tab called Entitlements. Similarly, entitlements for resources are listed for every resource on the Entitlements tab.
The Entitlements tab helps admins to easily identify entitlements that exist in StrongDM. By having access to user and resource entitlements, the admin can review, audit, and make access decisions confidently. It helps to reduce the risk of over-provisioning and having compliance gaps.
Use Cases
Common use cases for using entitlements visibility include the following:
- User entitlements insight: Admins want to see a breakdown of a user’s entitlements across resources, including access type, source, and last-accessed timestamps.
- Resource entitlements insight: Admins want to see a list of users that have access to a specific resource and why they have access.
User View of Entitlements
To view a user’s entitlements in the Admin UI, go to Principals > Users. Select the user and click on the Entitlements tab. A table displays all the resources that the selected user is entitled to access, with the following fields.
| Property | Description | Example |
|---|---|---|
| Access From | Start timestamp of the access grant; this field is blank for standing access granted by role membership | Mar 8, 2025 11:15 AM |
| Access Type | Type of access, either permanent (via role membership) or temporary (due to an access request or admin assignment) | Permanent |
| Access Until | End timestamp of the access grant; in the case of permanent access, this field is empty | Mar 12, 2025 12:00 PM |
| Granted By | Details on what (role or access workflow) gave access | Example Role |
| Hostname | Resource hostname | example.com |
| Last Accessed | Last accessed timestamp; this field is empty if the user never accessed the resource | Mar 16, 2025 1:45 PM |
| Mapped Identities | Identities assumed by the user upon accessing the resource | alice-glick |
| Name | Resource name | Example |
| Reason for Access | How access was granted to the user (for example, role assignment, admin assignment, or access workflows) | Role |
| Type | Resource type | Redis |
Resource View of Entitlements
To view all entitlements for a resource in the Admin UI, go to Resources, select the resource type (for example, Servers), and select the desired resource to view. Click on the Entitlements tab to view a table of all the users that are entitled to access the resource. The table has the following fields.
| Property | Description | Example |
|---|---|---|
| Access From | Start timestamp of the access grant; this field is blank for standing access granted by role membership | Mar 8, 2025 11:15 AM |
| Access Type | Type of access, either permanent (via role membership) or temporary (due to an access request or admin assignment) | Permanent |
| Access Until | End timestamp of the access grant; in the case of permanent access, this field is empty | Mar 12, 2025 12:00 PM |
| Granted By | Details on what (role or access workflow) gave access | Example Role |
| Last Accessed | Last accessed timestamp; this field is empty if the user never accessed the resource | Mar 16, 2025 1:45 PM |
| Mapped Identities | Identities assumed by the user upon accessing the resource | alice-glick |
| Name | User name | Glick, Alice |
| Reason for Access | How access was granted to the user (for example, role assignment, admin assignment, or access workflows) | Role |
| Type | User type (user or service account) | User |
Entitlements Options
This section describes the options available on the Entitlements tab for both users and resources.
Remove role
The Remove role button provides the option to remove a user from the role that gives access the given resource. Some common reasons to remove a user from a role include when the user has never accessed the resource they are entitled to access, or the last time they accessed it was a long time ago.
To remove the user from a role, click Remove role and then confirm. Once you confirm, the user is removed and they no longer have access to the resource.
Search, filter, and sort
You may use the Search bar to find a specific resource or user quickly. You may also sort and filter the results using the following filters:
- Reason for Access
- Granted By
- Access Type
- Last Accessed
- Type (resource type)
Download CSV
The Download CSV button allows you to export entitlements data in CSV format. You can export either all rows of data or only filtered rows shown on the Entitlements tab. The fields present in the downloaded CSV file are the same as the fields for the user view of entitlements or the resource view of entitlements.
Add temporary access
The Add temporary access button allows you to grant the selected user temporary access to a specific resource for any duration. The duration is the amount of time that the user will have access to the resource, in minutes, hours, or days. The duration settings let you set the time zone, date range, and the amount of time (30 minutes, 1 hour, 4 hours, until 5pm, until tomorrow, until end of week, or custom) before the access expires.
Additional Information
Reason for access
The only valid reasons for access are role assignment, admin assignment, or access workflows. Note that policy cannot solely grant or revoke entitlement, and policies in the policy editor won’t affect the set of resources that are shown in entitlements.
For example, if you have a policy statement such as the following, that policy won’t, by itself, grant every user access to connect to every resource. Users still need role membership or an access grant to be able to connect.
permit (
principal,
action == StrongDM::Action::"connect",
resource
);
Similarly, the following policy statement prevents users from connecting to resources, but it won’t cause entitlements to be removed from the entitlements view.
forbid (
principal,
action == StrongDM::Action::"connect",
resource
);
See the StrongDM documentation to learn more about how to set up users and resources in StrongDM.