Reports

Last modified on September 23, 2024

StrongDM Reports offer rich dashboards providing in-depth analysis of access grants to resources, organization posture and risks, and more. These dashboards can help StrongDM administrators and auditors ensure compliance and detect potential issues. This article describes the reporting dashboards available in the Admin UI.

All Dashboards

Dashboards may be viewed by users with the Administrator or Auditor permission level.

To view dashboards, log in to the Admin UI, and select Reports from the main navigation.

The All reports tab displays all dashboards currently available to your organization:

Click on a dashboard card to view its contents. For each dashboard, you can do the following:

  • View all metrics specific to the dashboard.
  • Display data based on a specified date range.
  • Download data as a CSV or PDF file.
  • Schedule delivery of the dashboard report to a specified destination at a later time, in a variety of formats (PDF, zipped CSV, PNG).
  • Search the data in your dashboards by manipulating the filters, or click into specific items in widgets to filter the displayed information further.
Admin UI Reports
Admin UI Reports

Dashboard Options

At the top right of any dashboard are several options:

  • Reload: Causes the dashboard to reload data from the cache
  • Hide filters: Hides any filters shown on the page
  • Dashboard actions: Presents options to clear the cache and refresh dashboard data, download dashboard data, schedule future delivery of the dashboard data to a specified destination, and reset filters shown on the page
Dashboard Actions
Dashboard Actions

Clear cache and refresh

Metrics for all dashboards are refreshed throughout the day. The time of the last refresh is given at the top right of the page (for example, “3m ago”). The Clear cache and refresh dashboard action allows you to retrieve the latest data and refresh the dashboard.

Download

You may view dashboards in the Admin UI, or you may download their data in CSV or PDF format. To download dashboard data, click Dashboard actions and select Download.

Schedule delivery

If you wish to receive dashboard data at a later time, you may schedule it to be delivered to a specified destination (email, webhook, Amazon S3, SFTP), at a specified frequency (for example, now, daily, weekly, monthly, every last day of the month, and so forth), and in a specified format (CSV zip file, PDF, PNG). Schedule delivery in Dashboard actions > Schedule Delivery > Settings tab. Delivery via email requires the email address that is entered to be the email address set for your StrongDM user account.

Dashboard Actions > Schedule Delivery
Dashboard Actions > Schedule Delivery

The Filters tab is where you can change the filters of the dashboard to be downloaded. For example, you can set the dashboard to include data from the last week only, instead of the default 90 days.

Dashboard Actions > Schedule Delivery > Filters
Dashboard Actions > Schedule Delivery > Filters

The Advanced options tab presents even more customization options. Advanced options include the following:

  • Custom Message: Enter any message to be included in the body of the email, if email is the selected destination.
  • Include links: Select the checkbox to include links.
  • Expand tables to show all rows: Some dashboards may limit the number of rows of data that can be downloaded. This option allows all rows to be shown in a downloaded dashboard.
  • Arrange dashboard tiles in a single column: Select the checkbox to arrange dashboard tiles in a single column in the downloaded dashboard.
  • Delivery timezone: Select the desired timezone for the delivered dashboard.
Dashboard Actions > Schedule Delivery > Advanced Options
Dashboard Actions > Schedule Delivery > Advanced Options

Search and Filter

The Search field embedded into dashboard cards allows you to find and display specific data, such as the name of a user accessing a resource, a specific resource type, or a tag. You can enter any text or string into the Search field.

Similarly, filters allow you to display specific data, such as for date or temporary grants. Every active filter is presented at the top of each dashboard. When set, the filters are encoded into the dashboard’s URL (for example, https://app.strongdm.com/app/reports/all-reports/dashboard/auditor?Date=7+day), enabling you to share or bookmark your filter configuration.

To clear filters, click the Dashboard actions icon at the top right of the dashboard, and select Reset filters.

Metric Alerts

When viewing a dashboard, you can set email alerts for any individual widget. To do so, click the Alerts icon (shaped like a bell) next to the action menu in the top right of the widget. It appears upon hover.

Example of Dashboard Alerts Icon
Example of Dashboard Alerts Icon

Fill in the criteria you wish to be alerted on, set the frequency, and save the alert.

Alerts Settings Example
Alerts Settings Example

Sensitive Resource Settings

The Sensitive Resource Settings tab is where you define which resources are considered sensitive. You can use either a resource tag or resource name or substring to define a sensitive resource. After saving your sensitive resource configuration, any dashboard that you view filters resources based on your tag or substring value setting.

What is a sensitive resource?

A resource may be considered sensitive if it hosts, stores, or transmits sensitive data. Sensitive data is information that is stored, processed, or managed by an individual or organization; it is information is confidential and only accessible to authorized users with proper permission, privileges, or clearance to view it.

Some examples of sensitive data include financial information, protected health information (PHI), credential data, customer information, trade information, proprietary information, government information, and certain types of personally identifiable information (for example, social security numbers and bank account numbers).

Because hosting, storing, or transmitting sensitive data can pose considerable security and legal risks to any organization, it’s important to identify which resources contain it, to establish criteria for what qualifies as sensitive data, to determine all the users who have access to it, and lastly, to know which users are accessing sensitive resources and when.

StrongDM already helps organizations maintain sensitive data protection through privileged access control to sensitive information systems and careful management of user authentication processes. StrongDM, however, does not know what is on your resources or how you classify them. It is up to you to identify sensitive resources. Reports provide the tools that enable you to specify which of your organization’s resources are considered sensitive.

Designate sensitive resources by resource tag

When designating sensitive resources by resource tag, enter your desired tag in the format <KEY>=<VALUE> (for example, sensitive=true). The value is optional and may be left empty. You may enter up to five tags, and if a resource has any of the specified tags, it is designated as sensitive.

Tag details

  • Maximum key length: 128 UTF-8 characters
  • Maximum value length: 256 UTF-8 characters
  • Maximum 50 tags per entity
  • Allowed characters: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @
  • Case-sensitive: team=StrongDM is different from team=strongdm
  • An entity can only have one value of a key at a time (for example, if you have two tags, sensitive=yes and sensitive=no, you can only assign one of them to a resource).

Designate sensitive resources by resource name substring

When designating sensitive resources by resource name substring, enter any substring value (for example, mysql-02-sensitive or Postgres-exampleapp-4). The system checks for this value in all resource names and displays the matched resources in dashboards.

Designate Sensitive Resources With Resource Name Substring
Designate Sensitive Resources With Resource Name Substring

Access Workflows

The Access Workflows dashboard provides a summary of how temporary access granted by Access Workflows is being used in the organization.

With the Access Workflows dashboard, StrongDM admins can:

  • View a summary of active access grants and access requests.
  • Filter results based on status (pending, expired, denied, or revoked) of access grants or access requests.
  • Filter results to show access grants approved by a particular approver.
  • Filter results to show only grants that are active or inactive.
  • Audit all requests made by a user or for a resource or workflow.
  • Select a time range of up to 13 months for review.
  • Export data in the format that works for your organization.

The following Access Workflows metrics are available in exported dashboards.

Metric nameDescriptionExample
Access RequestsNumber of access requests100
Active GrantsNumber of active grants55
ApproverFull name of the user who approved a requestBob Belcher
Automatically ApprovedNumber of requests automatically approved50
DeniedNumber of denied requests0
ExpiredNumber of expired requests0
ExpiresDate when access expires2023-12-31
Full NameFirst and last name of userBob Belcher
Granted ByIdentifier of user who granted access2846044571232670840
GrantsNumber of access grants100
Grants Ending SoonNumber of access grants expiring in 7 days0
IDIdentifier of workflow1092327429073100416
Inactive GrantsNumber of inactive grants45
Manually ApprovedNumber of manually approved requests23
NameNameWeb Staging
PendingNumber of pending requests0
RequestsNumber of access requests12
ResourceName of resourceProd
Resource IDIdentifier of the resource669547882304912091
RevokedNumber of revoked requests1
StatusStatus of request (Approved, Denied, or Timed out)Approved
UpdatedDate when the request was updated2023-10-01
UserFull name of the userAlice Glick
WorkflowName of workflowRW Admin Workflow

Auditor Insights

The Auditor Insights dashboard displays information about all the roles, users, resources, and tags in an environment. This information helps companies to run external audits and understand who has access to which resources.

With the Auditor Insights dashboard, StrongDM admins and auditors can:

  • View the many relationships between roles, users, resources, and tags.
  • View the roles assigned to a user or set of users.
  • View the roles that grant access to a resource or set of resources.
  • View the roles that grant access to resources with a tag or set of tags.
  • View the resources that a user or set of users can access.
  • View the users who have access to a resource or set of resources.
  • Filter results for a specific time period.
  • Filter results to show access information from temporary grants only.
  • Filter results to show access information about sensitive resources only.
  • Export data in the format that works for your organization to meet audit needs.

The following Auditor Insights metrics are available in exported dashboards.

Metric nameDescriptionExample
IDResource ID, role ID, tag ID, or user ID5406577942789366843
NameResource name or role nameExample
Name EmailUser name (first and last) and user emailBob Belcher -- bob.belcher@strongdm.com
Key ValueTag key and valueenvironment=development
ResourcesNumber of resources194
Resources CountNumber of resources530
RolesNumber of roles33
TagsNumber of tags24
UsersNumber of users100
Users CountNumber of users113

Executive Summary

The Executive Summary dashboard provides CISOs and security teams a high-level overview of security posture as it pertains to privileged access management. The dashboard shows how many users actually interact with the resources to which they have been granted access. Access grants, resources, users, and sessions are shown as numbers, while utilization of grants, resources, and users is shown as percentages. As an example, a high number of grants with a low resource utilization percentage could mean that users are overprovisioned for access.

With the Executive Summary dashboard, you can do the following:

  • View summarized information about user and resource utilization and activity.
  • Review utilization and activity trends over time in order to take corrective action, if needed.
  • Select a time range of up to 13 months for review.
  • Export data in the format that works for your organization.

The following Executive Summary metrics are available in exported dashboards.

Metric nameDescriptionExample
Act ResNumber of active resources100
Act UserNumber of active users1,108
DateDate (YYYY-MM-DD)2023-08-13
GrantsNumber of access grants1,305
Grant UtilizationPercentage of all access grants (temporary and permanent) that had a query associated with them13%
Latest Grant UtilizationPercentage of all access grants (temporary and permanent) that had a query associated with them as of the last refresh time80
Latest Resource UtilizationPercentage of active resources (resources with a grant) that had a query associated with them, as of the last refresh time56
Latest User UtilizationPercentage of active users (users with a grant) that had a query associated with them, as of the last refresh time75
Resource UtilizationPercentage of active resources (resources with a grant) that had a query associated with them70%
SessionsNumber of sessions142
User UtilizationPercentage of active users (users with a grant) that had a query associated with them85%

Standing Access

The Standing Access dashboard provides information about how much time users have had access to resources. This information is useful for assessing security risks and determining which users actually need access to certain resources and whose access should be revoked.

The dashboard accurately reflects the amount of time (in days) a user has had access to a resource through any mechanism (such as roles). That amount of time is the user’s standing access.

Standing access is calculated as the number days of access multiplied by the number of access grants given to the user for a resource. For example, if user Bob has access to one resource through one role for five days, Bob’s standing access for that resource is calculated as 1 role multiplied by 5 days, for a total of 5 days of standing access. If Bob has access to that same resource through 2 roles, the dashboard shows that Bob has 10 days of standing access.

Standing access is simply how much access a user has to a resource, and it is unrelated to usage. Let’s say, for example, that the dashboard shows that Bob has had access to MySQL for 900 days, but Bob has had zero sessions with that resource. Based on that information, an admin may determine that Bob’s access should be revoked because Bob has not used it.

One way to revoke access to a resource is to view the Standing Access dashboard, and find the names of the resources that are not being used. Then, go to the Auditor Insights dashboard, and filter by those resources to know which roles grant access to them. The admin may then remove the user from those roles.

With the Standing Access dashboard, StrongDM admins can view:

  • Statistics for each resource
  • Cumulative standing access for all users
  • Longest standing access for a single user
  • Average standing access for all users
  • Number of sessions per resource

The following Standing Access metrics are available in exported dashboards.

Metric nameDescriptionExample
Cumulative Standing AccessCumulative number of days of standing access to the resource56
Datasource IDIdentifier of the datasource5841011655724994212
Datasource NameName of the datasourceDev-admin
Role IDIdentifier of the role325179178271965946
Role NameName of the role that grants access to the resourceSuper Admin
Session CountNumber of sessions300
Tags IDIdentifier for tag1143611
Tags NamevalueTag key and valueEnvironment=Production
Users IDIdentifier of the user925244649940379957
Users NameFirst and last name of userBob Belcher

User Activity

The User Activity dashboard provides details about user sessions.

With the User Activity dashboard, StrongDM admins can:

  • Get an at-a-glance view of sessions within StrongDM.
  • Find problematic sessions based on concurrency and length of sessions.
  • Filter results by user, resources, and tags to review specific session activities.
  • Filter results to show queries for sensitive resources only.
  • Select a time range of up to 13 months for review.
  • Export data in the format that works for your organization.

The following User Activity metrics are available in exported dashboards.

Metric nameDescriptionExample
Datasource IDIdentifier of the datasource5841011655724994212
End TimeEnd date and time of the session2023-11-02 23:59:59
Full NameFirst and last name of userBob Belcher
IDIdentifier of resource1092327429073100416
Length (seconds)Duration of session in seconds109
NameName of resourceWeb Staging
ResourceName of resourceProd
ResourcesNumber of resources194
Sensitive ResourcesNumber of sensitive resources accessed101
Sensitive SessionIndicates whether the session is for a sensitive resource (true) or a non-sensitive resource (false)true
Sensitive SessionsNumber of sessions in which sensitive resources were being accessed2
Session BeginDate and time when the user session started2023-10-31 22:01:53
Session EndDate and time when the user session ended2023-10-31 21:36:33,25
Session LengthDuration of session in seconds109
SessionsNumber of sessions142
Start TimeStart date and time of the session2023-10-04 12:22:04
Tags IDIdentifier for tag1143611
Tags Key ValueTag key and valueEnvironment=Production
UserFull name of the userAlice Glick
UsersNumber of users100
Users IDIdentifier of the user925244649940379957
Users Name EmailFull name and email address of the userBob Belcher -- bob.belcher@strongdm.com

All Metrics

The following table describes all metrics found in exported dashboards.

Metric nameDescriptionExampleDashboard(s)
Access RequestsNumber of access requests100Access Workflows
Active GrantsNumber of active grants55Access Workflows
Act ResNumber of active resources100Executive Summary
Act UserNumber of active users1,108Executive Summary
ApproverFull name of the user who approved a requestBob BelcherAccess Workflows
Automatically ApprovedNumber of requests automatically approved50Access Workflows
Cumulative Standing AccessNumber of users who have standing access to the resource56Standing Access
Datasource IDIdentifier of the datasource5841011655724994212Standing Access, User Activity
Datasource NameName of the datasourceDev-adminStanding Access
DateDate (YYYY-MM-DD)2023-08-13Executive Summary
DeniedNumber of denied requests0Access Workflows
End TimeEnd date and time of the session2023-11-02 23:59:59User Activity
ExpiresDate when access expires2023-12-31Access Workflows
Full NameFirst and last name of userBob BelcherAccess Workflows, User Activity
ExpiredNumber of expired requests0Access Workflows
Granted ByIdentifier of user who granted access2846044571232670840Access Workflows
GrantsNumber of access grants1,305Access Workflows, Executive Summary
Grants Ending SoonNumber of access grants expiring in 7 days0Access Workflows
Grant UtilizationPercentage of all access grants (temporary and permanent) that had a query associated with them13%Executive Summary
IDIdentifier of resource, role, tag, user, or workflow1092327429073100416Access Workflows, Auditor Insights, User Activity
Inactive GrantsNumber of inactive grants45Access Workflows
Key ValueTag key and valueenvironment=developmentAuditor Insights
Latest Grant UtilizationPercentage of all access grants (temporary and permanent) that had a query associated with them as of the last refresh time80Executive Summary
Latest Resource UtilizationPercentage of active resources (resources with a grant) that had a query associated with them, as of the last refresh time56Executive Summary
Latest User UtilizationPercentage of active users (users with a grant) that had a query associated with them, as of the last refresh time75Executive Summary
Length (seconds)Duration of session in seconds109User Activity
Manually ApprovedNumber of manually approved requests23Access Workflows
NameName of resource, role, or workflowWeb StagingAccess Workflows, Auditor Insights, User Activity
Name EmailUser name (first and last) and user emailBob Belcher -- bob.belcher@strongdm.comAuditor Insights
Not Unutilized ResourcesNumber of unutilized resources100Auditor Insights
PendingNumber of pending requests0Access Workflows
RequestsNumber of access requests12Access Workflows
ResourceName of resourceProdAccess Workflows, User Activity
Resource IDIdentifier of the resource669547882304912091Access Workflows
ResourcesNumber of resources194Auditor Insights, User Activity
Resources CountNumber of resources530Auditor Insights
Resource UtilizationPercentage of active resources (resources with a grant) that had a query associated with them70%Executive Summary
RevokedNumber of revoked requests1Access Workflows
Role IDIdentifier of the role325179178271965946Standing Access
Role NameName of the role that grants access to the resourceSuper AdminStanding Access
RolesNumber of roles33Auditor Insights
Sensitive ResourcesNumber of sensitive resources accessed101User Activity
Sensitive SessionIndicates whether the session is for a sensitive resource (true) or a non-sensitive resource (false)trueUser Activity
Sensitive SessionsNumber of sessions in which sensitive resources were being accessed2User Activity
Session BeginDate and time when the user session started2023-10-31 22:01:53User Activity
Session CountNumber of sessions300Standing Access
Session EndDate and time when the user session ended2023-10-31 21:36:33,25User Activity
Session LengthDuration of session in seconds109User Activity
SessionsNumber of sessions142Executive Summary, User Activity
Start TimeStart date and time of the session2023-10-04 12:22:04User Activity
StatusStatus of requestApprovedAccess Workflows
TagsNumber of tags24Auditor Insights
Tags IDIdentifier for tag1143611Standing Access, User Activity
Tags Key ValueTag key and valueEnvironment=ProductionUser Activity
Tags NamevalueTag key and valueEnvironment=ProductionStanding Access
UpdatedDate when the request was updated2023-10-01Access Workflows
UserFull name of the userAlice GlickAccess Workflows, User Activity
UsersNumber of users100Auditor Insights
Users CountNumber of users113Auditor Insights
Users IDIdentifier of the user925244649940379957Standing Access, User Activity
Users NameFirst and last name of userBob BelcherStanding Access
Users Name EmailFull name and email address of the userBob Belcher -- bob.belcher@strongdm.comUser Activity
User UtilizationPercentage of active users (users with a grant) that had a query associated with them85%Executive Summary
WorkflowName of workflowRW Admin WorkflowAccess Workflows
Top