Reports
Last modified on September 23, 2024
This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.
StrongDM Reports offer rich dashboards providing in-depth analysis of access grants to resources, organization posture and risks, and more. These dashboards can help StrongDM administrators and auditors ensure compliance and detect potential issues. This article describes the reporting dashboards available in the Admin UI.
All Dashboards
Dashboards may be viewed by users with the Administrator or Auditor permission level.
To view dashboards, log in to the Admin UI, and select Reports from the main navigation.
The All reports tab displays all dashboards currently available to your organization:
Click on a dashboard card to view its contents. For each dashboard, you can do the following:
- View all metrics specific to the dashboard.
- Display data based on a specified date range.
- Download data as a CSV or PDF file.
- Schedule delivery of the dashboard report to a specified destination at a later time, in a variety of formats (PDF, zipped CSV, PNG).
- Search the data in your dashboards by manipulating the filters, or click into specific items in widgets to filter the displayed information further.
Dashboard Options
At the top right of any dashboard are several options:
- Reload: Causes the dashboard to reload data from the cache
- Hide filters: Hides any filters shown on the page
- Dashboard actions: Presents options to clear the cache and refresh dashboard data, download dashboard data, schedule future delivery of the dashboard data to a specified destination, and reset filters shown on the page
Clear cache and refresh
Metrics for all dashboards are refreshed throughout the day. The time of the last refresh is given at the top right of the page (for example, “3m ago”). The Clear cache and refresh dashboard action allows you to retrieve the latest data and refresh the dashboard.
Download
You may view dashboards in the Admin UI, or you may download their data in CSV or PDF format. To download dashboard data, click Dashboard actions and select Download.
Schedule delivery
If you wish to receive dashboard data at a later time, you may schedule it to be delivered to a specified destination (email, webhook, Amazon S3, SFTP), at a specified frequency (for example, now, daily, weekly, monthly, every last day of the month, and so forth), and in a specified format (CSV zip file, PDF, PNG). Schedule delivery in Dashboard actions > Schedule Delivery > Settings tab. Delivery via email requires the email address that is entered to be the email address set for your StrongDM user account.
The Filters tab is where you can change the filters of the dashboard to be downloaded. For example, you can set the dashboard to include data from the last week only, instead of the default 90 days.
The Advanced options tab presents even more customization options. Advanced options include the following:
- Custom Message: Enter any message to be included in the body of the email, if email is the selected destination.
- Include links: Select the checkbox to include links.
- Expand tables to show all rows: Some dashboards may limit the number of rows of data that can be downloaded. This option allows all rows to be shown in a downloaded dashboard.
- Arrange dashboard tiles in a single column: Select the checkbox to arrange dashboard tiles in a single column in the downloaded dashboard.
- Delivery timezone: Select the desired timezone for the delivered dashboard.
Search and Filter
The Search field embedded into dashboard cards allows you to find and display specific data, such as the name of a user accessing a resource, a specific resource type, or a tag. You can enter any text or string into the Search field.
Similarly, filters allow you to display specific data, such as for date or temporary grants. Every active filter is presented at the top of each dashboard. When set, the filters are encoded into the dashboard’s URL (for example, https://app.strongdm.com/app/reports/all-reports/dashboard/auditor?Date=7+day), enabling you to share or bookmark your filter configuration.
To clear filters, click the Dashboard actions icon at the top right of the dashboard, and select Reset filters.
Metric Alerts
When viewing a dashboard, you can set email alerts for any individual widget. To do so, click the Alerts icon (shaped like a bell) next to the action menu in the top right of the widget. It appears upon hover.
Fill in the criteria you wish to be alerted on, set the frequency, and save the alert.
reports@strongdm.com. The email may not indicate the dashboard from which you requested the alert. You will need to remember which dashboard and which widget you have set the alerts on, so that if you wish to edit or remove the alert, you may do so via the same action menu.Sensitive Resource Settings
The Sensitive Resource Settings tab is where you define which resources are considered sensitive. You can use either a resource tag or resource name or substring to define a sensitive resource. After saving your sensitive resource configuration, any dashboard that you view filters resources based on your tag or substring value setting.
What is a sensitive resource?
A resource may be considered sensitive if it hosts, stores, or transmits sensitive data. Sensitive data is information that is stored, processed, or managed by an individual or organization; it is information is confidential and only accessible to authorized users with proper permission, privileges, or clearance to view it.
Some examples of sensitive data include financial information, protected health information (PHI), credential data, customer information, trade information, proprietary information, government information, and certain types of personally identifiable information (for example, social security numbers and bank account numbers).
Because hosting, storing, or transmitting sensitive data can pose considerable security and legal risks to any organization, it’s important to identify which resources contain it, to establish criteria for what qualifies as sensitive data, to determine all the users who have access to it, and lastly, to know which users are accessing sensitive resources and when.
StrongDM already helps organizations maintain sensitive data protection through privileged access control to sensitive information systems and careful management of user authentication processes. StrongDM, however, does not know what is on your resources or how you classify them. It is up to you to identify sensitive resources. Reports provide the tools that enable you to specify which of your organization’s resources are considered sensitive.
Designate sensitive resources by resource tag
When designating sensitive resources by resource tag, enter your desired tag in the format <KEY>=<VALUE> (for example, sensitive=true). The value is optional and may be left empty. You may enter up to five tags, and if a resource has any of the specified tags, it is designated as sensitive.
Tag details
- Maximum key length: 128 UTF-8 characters
- Maximum value length: 256 UTF-8 characters
- Maximum 50 tags per entity
- Allowed characters: letters, numbers, and spaces representable in UTF-8, and the following characters:
+ - = . _ : / @ - Case-sensitive:
team=StrongDMis different fromteam=strongdm - An entity can only have one value of a key at a time (for example, if you have two tags,
sensitive=yesandsensitive=no, you can only assign one of them to a resource).
Designate sensitive resources by resource name substring
When designating sensitive resources by resource name substring, enter any substring value (for example, mysql-02-sensitive or Postgres-exampleapp-4). The system checks for this value in all resource names and displays the matched resources in dashboards.
Access Workflows
The Access Workflows dashboard provides a summary of how temporary access granted by Access Workflows is being used in the organization.
With the Access Workflows dashboard, StrongDM admins can:
- View a summary of active access grants and access requests.
- Filter results based on status (pending, expired, denied, or revoked) of access grants or access requests.
- Filter results to show access grants approved by a particular approver.
- Filter results to show only grants that are active or inactive.
- Audit all requests made by a user or for a resource or workflow.
- Select a time range of up to 13 months for review.
- Export data in the format that works for your organization.
The following Access Workflows metrics are available in exported dashboards.
| Metric name | Description | Example |
|---|---|---|
| Access Requests | Number of access requests | 100 |
| Active Grants | Number of active grants | 55 |
| Approver | Full name of the user who approved a request | Bob Belcher |
| Automatically Approved | Number of requests automatically approved | 50 |
| Denied | Number of denied requests | 0 |
| Expired | Number of expired requests | 0 |
| Expires | Date when access expires | 2023-12-31 |
| Full Name | First and last name of user | Bob Belcher |
| Granted By | Identifier of user who granted access | 2846044571232670840 |
| Grants | Number of access grants | 100 |
| Grants Ending Soon | Number of access grants expiring in 7 days | 0 |
| ID | Identifier of workflow | 1092327429073100416 |
| Inactive Grants | Number of inactive grants | 45 |
| Manually Approved | Number of manually approved requests | 23 |
| Name | Name | Web Staging |
| Pending | Number of pending requests | 0 |
| Requests | Number of access requests | 12 |
| Resource | Name of resource | Prod |
| Resource ID | Identifier of the resource | 669547882304912091 |
| Revoked | Number of revoked requests | 1 |
| Status | Status of request (Approved, Denied, or Timed out) | Approved |
| Updated | Date when the request was updated | 2023-10-01 |
| User | Full name of the user | Alice Glick |
| Workflow | Name of workflow | RW Admin Workflow |
Auditor Insights
The Auditor Insights dashboard displays information about all the roles, users, resources, and tags in an environment. This information helps companies to run external audits and understand who has access to which resources.
With the Auditor Insights dashboard, StrongDM admins and auditors can:
- View the many relationships between roles, users, resources, and tags.
- View the roles assigned to a user or set of users.
- View the roles that grant access to a resource or set of resources.
- View the roles that grant access to resources with a tag or set of tags.
- View the resources that a user or set of users can access.
- View the users who have access to a resource or set of resources.
- Filter results for a specific time period.
- Filter results to show access information from temporary grants only.
- Filter results to show access information about sensitive resources only.
- Export data in the format that works for your organization to meet audit needs.
The following Auditor Insights metrics are available in exported dashboards.
| Metric name | Description | Example |
|---|---|---|
| ID | Resource ID, role ID, tag ID, or user ID | 5406577942789366843 |
| Name | Resource name or role name | Example |
| Name Email | User name (first and last) and user email | Bob Belcher -- bob.belcher@strongdm.com |
| Key Value | Tag key and value | environment=development |
| Resources | Number of resources | 194 |
| Resources Count | Number of resources | 530 |
| Roles | Number of roles | 33 |
| Tags | Number of tags | 24 |
| Users | Number of users | 100 |
| Users Count | Number of users | 113 |
Executive Summary
The Executive Summary dashboard provides CISOs and security teams a high-level overview of security posture as it pertains to privileged access management. The dashboard shows how many users actually interact with the resources to which they have been granted access. Access grants, resources, users, and sessions are shown as numbers, while utilization of grants, resources, and users is shown as percentages. As an example, a high number of grants with a low resource utilization percentage could mean that users are overprovisioned for access.
With the Executive Summary dashboard, you can do the following:
- View summarized information about user and resource utilization and activity.
- Review utilization and activity trends over time in order to take corrective action, if needed.
- Select a time range of up to 13 months for review.
- Export data in the format that works for your organization.
The following Executive Summary metrics are available in exported dashboards.
| Metric name | Description | Example |
|---|---|---|
| Act Res | Number of active resources | 100 |
| Act User | Number of active users | 1,108 |
| Date | Date (YYYY-MM-DD) | 2023-08-13 |
| Grants | Number of access grants | 1,305 |
| Grant Utilization | Percentage of all access grants (temporary and permanent) that had a query associated with them | 13% |
| Latest Grant Utilization | Percentage of all access grants (temporary and permanent) that had a query associated with them as of the last refresh time | 80 |
| Latest Resource Utilization | Percentage of active resources (resources with a grant) that had a query associated with them, as of the last refresh time | 56 |
| Latest User Utilization | Percentage of active users (users with a grant) that had a query associated with them, as of the last refresh time | 75 |
| Resource Utilization | Percentage of active resources (resources with a grant) that had a query associated with them | 70% |
| Sessions | Number of sessions | 142 |
| User Utilization | Percentage of active users (users with a grant) that had a query associated with them | 85% |
Standing Access
The Standing Access dashboard provides information about how much time users have had access to resources. This information is useful for assessing security risks and determining which users actually need access to certain resources and whose access should be revoked.
The dashboard accurately reflects the amount of time (in days) a user has had access to a resource through any mechanism (such as roles). That amount of time is the user’s standing access.
Standing access is calculated as the number days of access multiplied by the number of access grants given to the user for a resource. For example, if user Bob has access to one resource through one role for five days, Bob’s standing access for that resource is calculated as 1 role multiplied by 5 days, for a total of 5 days of standing access. If Bob has access to that same resource through 2 roles, the dashboard shows that Bob has 10 days of standing access.
Standing access is simply how much access a user has to a resource, and it is unrelated to usage. Let’s say, for example, that the dashboard shows that Bob has had access to MySQL for 900 days, but Bob has had zero sessions with that resource. Based on that information, an admin may determine that Bob’s access should be revoked because Bob has not used it.
One way to revoke access to a resource is to view the Standing Access dashboard, and find the names of the resources that are not being used. Then, go to the Auditor Insights dashboard, and filter by those resources to know which roles grant access to them. The admin may then remove the user from those roles.
With the Standing Access dashboard, StrongDM admins can view:
- Statistics for each resource
- Cumulative standing access for all users
- Longest standing access for a single user
- Average standing access for all users
- Number of sessions per resource
The following Standing Access metrics are available in exported dashboards.
| Metric name | Description | Example |
|---|---|---|
| Cumulative Standing Access | Cumulative number of days of standing access to the resource | 56 |
| Datasource ID | Identifier of the datasource | 5841011655724994212 |
| Datasource Name | Name of the datasource | Dev-admin |
| Role ID | Identifier of the role | 325179178271965946 |
| Role Name | Name of the role that grants access to the resource | Super Admin |
| Session Count | Number of sessions | 300 |
| Tags ID | Identifier for tag | 1143611 |
| Tags Namevalue | Tag key and value | Environment=Production |
| Users ID | Identifier of the user | 925244649940379957 |
| Users Name | First and last name of user | Bob Belcher |
User Activity
The User Activity dashboard provides details about user sessions.
With the User Activity dashboard, StrongDM admins can:
- Get an at-a-glance view of sessions within StrongDM.
- Find problematic sessions based on concurrency and length of sessions.
- Filter results by user, resources, and tags to review specific session activities.
- Filter results to show queries for sensitive resources only.
- Select a time range of up to 13 months for review.
- Export data in the format that works for your organization.
The following User Activity metrics are available in exported dashboards.
| Metric name | Description | Example |
|---|---|---|
| Datasource ID | Identifier of the datasource | 5841011655724994212 |
| End Time | End date and time of the session | 2023-11-02 23:59:59 |
| Full Name | First and last name of user | Bob Belcher |
| ID | Identifier of resource | 1092327429073100416 |
| Length (seconds) | Duration of session in seconds | 109 |
| Name | Name of resource | Web Staging |
| Resource | Name of resource | Prod |
| Resources | Number of resources | 194 |
| Sensitive Resources | Number of sensitive resources accessed | 101 |
| Sensitive Session | Indicates whether the session is for a sensitive resource (true) or a non-sensitive resource (false) | true |
| Sensitive Sessions | Number of sessions in which sensitive resources were being accessed | 2 |
| Session Begin | Date and time when the user session started | 2023-10-31 22:01:53 |
| Session End | Date and time when the user session ended | 2023-10-31 21:36:33,25 |
| Session Length | Duration of session in seconds | 109 |
| Sessions | Number of sessions | 142 |
| Start Time | Start date and time of the session | 2023-10-04 12:22:04 |
| Tags ID | Identifier for tag | 1143611 |
| Tags Key Value | Tag key and value | Environment=Production |
| User | Full name of the user | Alice Glick |
| Users | Number of users | 100 |
| Users ID | Identifier of the user | 925244649940379957 |
| Users Name Email | Full name and email address of the user | Bob Belcher -- bob.belcher@strongdm.com |
All Metrics
The following table describes all metrics found in exported dashboards.
| Metric name | Description | Example | Dashboard(s) |
|---|---|---|---|
| Access Requests | Number of access requests | 100 | Access Workflows |
| Active Grants | Number of active grants | 55 | Access Workflows |
| Act Res | Number of active resources | 100 | Executive Summary |
| Act User | Number of active users | 1,108 | Executive Summary |
| Approver | Full name of the user who approved a request | Bob Belcher | Access Workflows |
| Automatically Approved | Number of requests automatically approved | 50 | Access Workflows |
| Cumulative Standing Access | Number of users who have standing access to the resource | 56 | Standing Access |
| Datasource ID | Identifier of the datasource | 5841011655724994212 | Standing Access, User Activity |
| Datasource Name | Name of the datasource | Dev-admin | Standing Access |
| Date | Date (YYYY-MM-DD) | 2023-08-13 | Executive Summary |
| Denied | Number of denied requests | 0 | Access Workflows |
| End Time | End date and time of the session | 2023-11-02 23:59:59 | User Activity |
| Expires | Date when access expires | 2023-12-31 | Access Workflows |
| Full Name | First and last name of user | Bob Belcher | Access Workflows, User Activity |
| Expired | Number of expired requests | 0 | Access Workflows |
| Granted By | Identifier of user who granted access | 2846044571232670840 | Access Workflows |
| Grants | Number of access grants | 1,305 | Access Workflows, Executive Summary |
| Grants Ending Soon | Number of access grants expiring in 7 days | 0 | Access Workflows |
| Grant Utilization | Percentage of all access grants (temporary and permanent) that had a query associated with them | 13% | Executive Summary |
| ID | Identifier of resource, role, tag, user, or workflow | 1092327429073100416 | Access Workflows, Auditor Insights, User Activity |
| Inactive Grants | Number of inactive grants | 45 | Access Workflows |
| Key Value | Tag key and value | environment=development | Auditor Insights |
| Latest Grant Utilization | Percentage of all access grants (temporary and permanent) that had a query associated with them as of the last refresh time | 80 | Executive Summary |
| Latest Resource Utilization | Percentage of active resources (resources with a grant) that had a query associated with them, as of the last refresh time | 56 | Executive Summary |
| Latest User Utilization | Percentage of active users (users with a grant) that had a query associated with them, as of the last refresh time | 75 | Executive Summary |
| Length (seconds) | Duration of session in seconds | 109 | User Activity |
| Manually Approved | Number of manually approved requests | 23 | Access Workflows |
| Name | Name of resource, role, or workflow | Web Staging | Access Workflows, Auditor Insights, User Activity |
| Name Email | User name (first and last) and user email | Bob Belcher -- bob.belcher@strongdm.com | Auditor Insights |
| Not Unutilized Resources | Number of unutilized resources | 100 | Auditor Insights |
| Pending | Number of pending requests | 0 | Access Workflows |
| Requests | Number of access requests | 12 | Access Workflows |
| Resource | Name of resource | Prod | Access Workflows, User Activity |
| Resource ID | Identifier of the resource | 669547882304912091 | Access Workflows |
| Resources | Number of resources | 194 | Auditor Insights, User Activity |
| Resources Count | Number of resources | 530 | Auditor Insights |
| Resource Utilization | Percentage of active resources (resources with a grant) that had a query associated with them | 70% | Executive Summary |
| Revoked | Number of revoked requests | 1 | Access Workflows |
| Role ID | Identifier of the role | 325179178271965946 | Standing Access |
| Role Name | Name of the role that grants access to the resource | Super Admin | Standing Access |
| Roles | Number of roles | 33 | Auditor Insights |
| Sensitive Resources | Number of sensitive resources accessed | 101 | User Activity |
| Sensitive Session | Indicates whether the session is for a sensitive resource (true) or a non-sensitive resource (false) | true | User Activity |
| Sensitive Sessions | Number of sessions in which sensitive resources were being accessed | 2 | User Activity |
| Session Begin | Date and time when the user session started | 2023-10-31 22:01:53 | User Activity |
| Session Count | Number of sessions | 300 | Standing Access |
| Session End | Date and time when the user session ended | 2023-10-31 21:36:33,25 | User Activity |
| Session Length | Duration of session in seconds | 109 | User Activity |
| Sessions | Number of sessions | 142 | Executive Summary, User Activity |
| Start Time | Start date and time of the session | 2023-10-04 12:22:04 | User Activity |
| Status | Status of request | Approved | Access Workflows |
| Tags | Number of tags | 24 | Auditor Insights |
| Tags ID | Identifier for tag | 1143611 | Standing Access, User Activity |
| Tags Key Value | Tag key and value | Environment=Production | User Activity |
| Tags Namevalue | Tag key and value | Environment=Production | Standing Access |
| Updated | Date when the request was updated | 2023-10-01 | Access Workflows |
| User | Full name of the user | Alice Glick | Access Workflows, User Activity |
| Users | Number of users | 100 | Auditor Insights |
| Users Count | Number of users | 113 | Auditor Insights |
| Users ID | Identifier of the user | 925244649940379957 | Standing Access, User Activity |
| Users Name | First and last name of user | Bob Belcher | Standing Access |
| Users Name Email | Full name and email address of the user | Bob Belcher -- bob.belcher@strongdm.com | User Activity |
| User Utilization | Percentage of active users (users with a grant) that had a query associated with them | 85% | Executive Summary |
| Workflow | Name of workflow | RW Admin Workflow | Access Workflows |