Entitlements Visibility
Last modified on July 2, 2025
This feature is currently in closed-access beta. Functionality and documentation may change. Contact StrongDM for more information.
This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.
Overview
The StrongDM Admin UI provides admins with a comprehensive view of all entitlements that exist for a user. Entitlements visibility enables admins to know who has access to which resources and why at any given point in time.
Entitlements for users are listed per user in the Principals > Users section of the Admin UI, in a new tab called Entitlements. Similarly, entitlements for resources are listed for every resource on the Entitlements tab.
The Entitlements tab helps admins to easily identify entitlements that exist in StrongDM. By having access to user and resource entitlements, the admin can review, audit, and make access decisions confidently. It helps to reduce the risk of over-provisioning and having compliance gaps.
Use Cases
Common use cases for using entitlements visibility include the following:
- User entitlements insight: Admins want to see a breakdown of a user’s entitlements across resources, including access type, source, and last-accessed timestamps.
- Resource entitlements insight: Admins want to see a list of users that have access to a specific resource and why they have access.
User View of Entitlements
To view a user’s entitlements in the Admin UI, go to Principals > Users. Select the user and click on the Entitlements tab. A table displays all the resources that the selected user is entitled to access, with the following fields:
- Name: Resource name
- Hostname: Resource hostname
- Type: Resource type
- Reason for Access: How access was granted to the user (for example, role assignment, admin assignment, access workflows, or policy)
- Access via: Details on what (for example, role, access workflow, or policy) gave access
- Access Duration: How long the user has access (for example, 4 hrs, 2 days); in the case of permanent access, this field is empty
- Access From: Start timestamp of the access grant (for example, “Mar 8, 2025 11:15 AM 10:45 am”)
- Access Until: End timestamp of the access grant (for example, “Mar 12, 2025 12:00 PM”); in the case of permanent access, this field is empty
- Access Type: Type of access, either permanent or temporary
- Last Accessed: Last accessed timestamp (for example, “Mar 16, 2025 1:45 PM”); this field is empty if the user never accessed the resource
Resource View Entitlements
To view all entitlements for a resource in the Admin UI, go to Resources, select the resource type (for example, Servers), and select the desired resource to view. Click on the Entitlements tab to view a table of all the users that are entitled to access the resource. The table has the following fields:
- Name: User name
- Type: User type (user or service account)
- Reason for Access: How access was granted to the user (for example, role assignment, admin assignment, access workflows, or policy)
- Granted By: Role name, if the reason for access is a role
- Access From: Start timestamp of the access grant (for example, “Mar 8, 2025 11:15 AM 10:45 am”)
- Access Until: End timestamp of the access grant (for example, “Mar 12, 2025 12:00 PM”); in the case of permanent access, this field is empty
- Access Type: Type of access, either permanent or temporary
- Last Accessed: Last accessed timestamp (for example, “Mar 16, 2025 1:45 PM”); this field is empty if the user never accessed the resource
Entitlements Options
This section describes the options available on the Entitlements tab for both users and resources.
Remove role
The Remove role button provides the option to remove a user from the role that gives access the given resource. Some common reasons to remove a user from a role include when the user has never accessed the resource they are entitled to access, or the last time they accessed it was a long time ago.
To remove the user from a role, click Remove role and then confirm. Once you confirm, the user is removed and they no longer have access to the resource.
Search, filter, and sort
You may use the Search bar to find a specific resource or user quickly, as well as sort the results by name and filter the results by resource type or access type (permanent or temporary).
Add temporary access
The Add temporary access button allows you to grant the selected user temporary access to a specific resource for any duration. The duration is the amount of time that the user will have access to the resource, in minutes, hours, or days. The duration settings let you set the time zone, date range, and the amount of time (30 minutes, 1 hour, 4 hours, until 5pm, until tomorrow, until end of week, or custom) before the access expires.
Additional Information
See the StrongDM documentation to learn more about how to set up users and resources in StrongDM.