Reports Beta

Last modified on August 27, 2024

The Reports Library offers rich dashboards providing in-depth analysis of access grants to resources, organization posture and risks, and more. These dashboards can help StrongDM administrators and auditors ensure compliance and detect potential issues. This article describes the dashboards available in the Reports Library.

All Dashboards

Dashboards may be viewed by users with the Administrator or Auditor permission level.

To view dashboards, log in to the Admin UI, and select Reports Library from the main navigation.

The All reports tab displays all dashboards currently available to your organization:

Click on a dashboard card to view its contents. For each dashboard, you can do the following:

  • View all metrics specific to the dashboard.
  • Display data based on a specified date range.
  • Search the data in your dashboards by manipulating the filters, or click into specific items in widgets to filter the displayed information further.

Search and Filter

The Search field embedded into dashboard cards allows you to find and display specific data, such as the name of a user accessing a resource, a specific resource type, or a tag. You can enter any text or string into the Search field.

Similarly, filters allow you to display specific data, such as for date or temporary grants. Every active filter is presented at the top of each dashboard. You can select filters from multiple dashboard cards to narrow results even further.

Filter Selection
Filter Selection

When set, the filters are encoded into the dashboard’s URL (for example, https://app.strongdm.com/app/reports-library/reports/dashboard/auditor?Date=7+day), enabling you to share or bookmark your filter configuration.

Sensitive Resource Settings

The Sensitive Resource Settings tab is where you define which resources are considered sensitive. You can use either a resource tag or resource name or substring to define a sensitive resource. After saving your sensitive resource configuration, any dashboard that you view filters resources based on your tag or substring value setting.

What is a sensitive resource?

A resource may be considered sensitive if it hosts, stores, or transmits sensitive data. Sensitive data is information that is stored, processed, or managed by an individual or organization; it is information that is confidential and only accessible to authorized users with proper permission, privileges, or clearance to view it.

Some examples of sensitive data include financial information, protected health information (PHI), credential data, customer information, trade information, proprietary information, government information, and certain types of personally identifiable information (for example, Social Security numbers and bank account numbers).

Because hosting, storing, or transmitting sensitive data can pose considerable security and legal risks to any organization, it’s important to determine criteria for what data is, identify resources that have it, determine which users can access it (via those resources), and know which users are actually accessing sensitive resources and when.

StrongDM already helps organizations maintain sensitive data protection through privileged access control to sensitive information systems and careful management of user authentication processes. StrongDM, however, does not know what is on your resources or how you classify them. It is up to you to identify sensitive resources. The Reports Library provides the tools that enable you to specify which of your organization’s resources are considered sensitive.

Designate sensitive resources by resource tag

When designating sensitive resources by resource tag, enter your desired tag in the format <KEY>=<VALUE> (for example, sensitive=true). The value is optional and may be left empty (for example, sensitive=). You may enter up to five tags, and if a resource has any of the specified tags, it is designated as sensitive.

Tag details

  • Maximum key length: 128 UTF-8 characters
  • Maximum value length: 256 UTF-8 characters
  • Maximum 50 tags per entity
  • Allowed characters: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @
  • Case-sensitive: team=StrongDM is different from team=strongdm
  • An entity can only have one value of a key at a time (for example, if you have two tags, sensitive=yes and sensitive=no, you can only assign one of them to a resource).

Designate sensitive resources by resource name substring

When designating sensitive resources by resource name substring, enter any substring value (for example, mysql-02-sensitive or Postgres-exampleapp-4). The system checks for this value in all resource names and displays the matched resources in dashboards.

Designate Sensitive Resources With Resource Name Substring
Designate Sensitive Resources With Resource Name Substring

Access Workflows

The Access Workflows dashboard provides a summary of how temporary access granted by Access Workflows is being used in the organization.

With the Access Workflows dashboard, StrongDM admins can:

  • View a summary of active access grants and access requests.
  • Filter results based on status (pending, timed out, denied, or canceled) of access grants or access requests.
  • Filter results to show access grants that were manually approved or automatically approved.
  • Filter results to show access grants approved by a particular approver.
  • Filter results to show only grants that are active or inactive.
  • Search users, resources, workflows, and approvers by name, and display results accordingly.
  • Audit all requests made by a user or for a resource or workflow.
  • Select a time range of up to 13 months for review.
  • Export data in the format that works for your organization.

The following Access Workflows metrics are available in exported dashboards.

Metric nameDescriptionExample
Access RequestsNumber of access requests100
Active GrantsNumber of active grants55
Approval ModeType of approval, either manual or automatic2024-08-07 18:24:00
ApproverFull name of the user who approved a requestBob Belcher
Automatically ApprovedNumber of requests automatically approved50
CanceledNumber of canceled requests0
Created TimeDate and time when the request for access was created2024-08-07 18:24:00
Deleted TimeDate and time when the request for access was deleted2024-08-08 19:20:00
DeniedNumber of denied requests0
From IntegrationsNumber of requests from integrations1
GrantsNumber of access grants1,305
IDIdentifier of workflow1092327429073100416
Inactive GrantsNumber of inactive grants45
Manually ApprovedNumber of manually approved requests23
NameName of resource, role, or workflowWeb Staging
Name EmailUser name (first and last) and user emailBob Belcher -- bob.belcher@strongdm.com
PendingNumber of pending requests0
ReasonReason for requesting accessUse DB please.
Request DurationDuration of the request2,700
RequestsNumber of requests made or approved12
ResourceName of resourceAWS Cloud
Resource IDIdentifier of the resource669547882304912091
Start From TimeStart date and time of the request for access2023-10-04 12:22:04
StatusStatus of requestApproved
Status TimeStatus time of request2024-08-07 18:24:00
Timed OutNumber of timed out requests3
UpdatedDate and time of update2024-08-12,2024-08-14
UserFull name of the userAlice Glick
Valid Until Derived TimeValid until derived date and time2023-10-04 12:22:04
Valid Until TimeDate and time when the request for access expires2023-10-04 12:22:04
WorkflowName of workflowRW Admin Workflow

Auditor Insights

The Auditor Insights dashboard displays information about all the roles, users, resources, and tags in an environment. This information helps companies to run external audits and understand who has access to which resources. StrongDM admins can use this information to show compliance with auditor requirements, as well as to understand which areas of their organization have more access than needed.

With the Auditor Insights dashboard, StrongDM admins and auditors can:

  • View the many relationships between roles, users, resources, and tags.
  • View the roles assigned to a user or set of users.
  • View the roles that grant access to a resource or set of resources.
  • View the roles that grant access to resources with a tag or set of tags.
  • View the resource types and specific resources that a user or set of users can access.
  • View the users who have access to a resource or set of resources.
  • View individual grants.
  • Filter results for a specific time period.
  • Filter results to show access information from only temporary grants or permanent grants.
  • Click on any role, user name, resource name, resource type, tag, access type, or date to filter results even further.
  • Export data in the format that works for your organization to meet audit needs.

The following Auditor Insights metrics are available in exported dashboards.

Metric nameDescriptionExample
IDResource ID, role ID, tag ID, or user ID5406577942789366843
Key ValueTag key and valueenvironment=development
NameResource name or role nameExample
Name EmailUser name (first and last) and user emailBob Belcher -- bob.belcher@strongdm.com
ResourcesNumber of resources194
Resources CountNumber of resources530
Roles CountNumber of roles33
Tags CountNumber of tags24
Temporary Grants CountNumber of temporary grants25
UsersNumber of users100
Users CountNumber of users113

Executive Summary

The Executive Summary dashboard provides CISOs and security teams a high-level overview of security posture as it pertains to privileged access management. The dashboard shows how many users actually interact with the resources to which they have been granted access. Access grants, resources, users, and sessions are shown as numbers, while utilization of grants, resources, and users is shown as percentages. As an example, a high number of grants with a low resource utilization percentage could mean that users are overprovisioned for access.

With the Executive Summary dashboard, you can do the following:

  • View summarized information about user and resource utilization and activity.
  • Review utilization and activity trends over time in order to take corrective action, if needed.
  • Select a time range of up to 13 months for review.
  • Export data in the format that works for your organization.

The following Executive Summary metrics are available in exported dashboards.

Metric nameDescriptionExample
Act ResNumber of active resources100
Act UserNumber of active users1,108
DateDate (YYYY-MM-DD)2023-08-13
GrantsNumber of access grants1,305
Grant UtilizationPercentage of all access grants (temporary and permanent) that had a query associated with them13%
Latest Grant UtilizationPercentage of all access grants (temporary and permanent) that had a query associated with them as of the last refresh time80
Latest Resource UtilizationPercentage of active resources (resources with a grant) that had a query associated with them, as of the last refresh time56
Latest User UtilizationPercentage of active users (users with a grant) that had a query associated with them, as of the last refresh time75
Query CountNumber of queries run by the user9,000
Resource UtilizationPercentage of active resources (resources with a grant) that had a query associated with them70%
SessionsNumber of queries run by the user142
User UtilizationPercentage of active users (users with a grant) that had a query associated with them85%

Standing Access

The Standing Access report provides information about how users received access (such as through permanent grants from roles, or temporary grants from workflows or policies), how long users have had access to resources, and whether or not users have used the access they’ve been given. In addition, it provides suggested actions to take to reduce unused access. This information is useful for assessing security risks and determining which users actually need access to certain resources and whose access should be revoked or converted to temporary access.

The Standing Access report presents information in the following tabs: Scores, Users, Roles, Resources, and Remediations. By clicking into these Standing Access report tabs, StrongDM admins can view:

  • Scores for Just-in-Time (JIT) access (that is, access granted upon request or on demand), role utilization, and overall access, and how they are calculated
  • JIT Access and Role Utilization scores for each user
  • Utilization score and JIT resource overlap for each role
  • Distribution of your resources based on the origin of the grant
  • Remediation steps to remove users and resources from roles in order to reduce standing access

Scores

The Scores area of the Standing Access report uses data from the access grants and user sessions from the last 90 days to calculate three scores for your organization: JIT Access Score, Role Utilization Score, and Overall Score. These scores can help you to quickly glean the amount of standing access granted to users (where standing access is a permanent access grant created when a user or a resource is assigned to a role) versus the amount of temporary access granted to a user (where access is given upon request and approval, for a specified, limited amount of time).

The JIT Access Score evaluates all of your grants, and calculates the percentage of grants that provided access on a temporary basis versus the grants derived from a role. A JIT Access Score of 100% means your organization has no standing access because all of your grants provide access on a temporary basis.

The Role Utilization Score calculates the percentage of permanent grants where the user accessed the resource. A Role Utilization Score of 100% means all of your permanent grants are utilized.

The Overall Score is an average of the JIT Access Score and Role Utilization Score.

The Standing Access Report is meant to assist StrongDM administrators to reduce the amount of standing access by changing permanent grants from roles into temporary grants from workflows and policies, particularly those permanent grants that often go unused.

Standing Access metrics

The following Standing Access metrics are available in exported dashboards.

Metric nameDescriptionExample
Cumulative Standing AccessCumulative number of days of standing access to the resource56
Datasource IDIdentifier of the datasource5841011655724994212
Datasource NameName of the datasourceDev-admin
Query CountNumber of queries run by the user9,000
SessionsNumber of sessions300
Tags IDIdentifier for tag1143611
Tags NamevalueTag key and valueEnvironment=Production
Users IDIdentifier of the user925244649940379957
Users NameFirst and last name of userBob Belcher

User Activity

The User Activity dashboard provides details about user sessions. Admins can use the dashboard to troubleshoot issues with users or resources by filtering to the relevant time and context. In additions, admins can use it to get a detailed understanding of what users access or who is accessing specific resources and resource types.

With the User Activity dashboard, StrongDM admins can:

  • Get an at-a-glance view of sessions within StrongDM.
  • Find problematic sessions based on concurrency and length of sessions.
  • Filter results by user, resources, resource types, and tags to review specific session activities.
  • Filter results to show queries for sensitive resources only.
  • View individual sessions and grants.
  • Select a time range of up to 13 months for review.
  • Export data in the format that works for your organization.

The following User Activity metrics are available in exported dashboards.

Metric nameDescriptionExample
Cumulative Query CountsCumulative number of queries run by the user100
IDIdentifier of resource1092327429073100416
Is Sensitive Filter ValueBoolean value indicating whether the session is for a sensitive resource (true) or a non-sensitive resource (false)true
NameName of resourceWeb Staging
Non Sensitive Query CountsNumber of queries run on non-sensitive resources100
NumNumber of sessions20
Query CountsNumber of queries run by the user9,000
ResourcesNumber of resources194
SensitiveNumber of sensitive resources accessed101
Sensitive ResourcesNumber of sensitive resources accessed101
Sensitive SessionsNumber of sessions in which sensitive resources were being accessed2
SessionsNumber of sessions142
Tags IDIdentifier for tag1143611
Tags Key ValueTag key and valueEnvironment=Production
Time EndDate and time when the user session ended2024-08-06 11:29:40
Time StartDate and time when the user session started2024-08-05 20:11:20
UsersNumber of users100
Users IDIdentifier of the user925244649940379957
Users Name EmailFull name and email address of the userBob Belcher -- bob.belcher@strongdm.com

Utilization

The Utilization dashboard provides information about the activity and inactivity of users and resources within your StrongDM environment. Admins can use this dashboard to identify stale or unused users, resources, and roles.

With the Utilization dashboard, StrongDM admins can view:

  • User activity by IP address
  • Latest query per user
  • Latest query per resource
  • Roles that are active but are unassigned to resources
  • Resources that have no roles assigned to them
  • Users who have no roles assigned to them
  • Resources that have never had activity
  • Users who have never had activity/sessions
  • All the above information for various date ranges, including:
    • Greater than 90 days ago
    • Less than 90 days ago
    • Less than 30 days ago
    • Less than 7 days ago
    • Less than 1 day ago

The following Utilization metrics are available in exported dashboards.

Metric nameDescriptionExample
Created TimeDate and time when the user was created in StrongDM2024-03-13 19:25:11
IDIdentifier of resource, role, tag, user, or workflow913974183375011223
IPsIP address of user12.123.123.123
Last Login TimeDate and time of the user’s last login to StrongDM2024-08-19 23:10:30
Last Query DateDate of the user’s last query2024-08-05
Last Query TimeDate and time of the user’s last query2024-08-05 23:00:15
Latest Session TimeDate and time of the user’s latest session2024-06-27 07:07:03
List of SourceSource of user activity, either web (Admin UI) or native (desktop app)web
NameName of resource, role, tag, user, or workflowDev Role
Name EmailUser name (first and last) and user emailBob Belcher -- bob.belcher@strongdm.com

All Metrics

The following table describes all metrics found in exported dashboards.

Metric nameDescriptionExampleDashboard(s)
Access RequestsNumber of access requests100Access Workflows
Act ResNumber of active resources100Executive Summary
Act UserNumber of active users1,108Executive Summary
Active GrantsNumber of active grants55Access Workflows
Approval ModeType of approval, either manual or automatic2024-08-07 18:24:00Access Workflows
ApproverFull name of the user who approved a requestBob BelcherAccess Workflows
Automatically ApprovedNumber of requests automatically approved50Access Workflows
CanceledNumber of canceled requests0Access Workflows
Created TimeDate and time when the user or the user’s request for access was created2024-08-07 18:24:00Access Workflows, Utilization
Cumulative Query CountsCumulative number of queries run by the user100User Activity
Cumulative Standing AccessNumber of users who have standing access to the resource56Standing Access
Datasource IDIdentifier of the datasource5841011655724994212Standing Access, User Activity
Datasource NameName of the datasourceDev-adminStanding Access
DateDate (YYYY-MM-DD)2023-08-13Executive Summary
Deleted TimeDate and time when the request for access was deleted2024-08-08 19:20:00Access Workflows
DeniedNumber of denied requests0Access Workflows
From IntegrationsNumber of requests from integrations1Access Workflows
GrantsNumber of access grants1,305Access Workflows, Executive Summary
Grant UtilizationPercentage of all access grants (temporary and permanent) that had a query associated with them13%Executive Summary
IDIdentifier of resource, role, tag, user, or workflow1092327429073100416Access Workflows, Auditor Insights, User Activity, Utilization
Inactive GrantsNumber of inactive grants45Access Workflows
IPsIP address of user12.123.123.123Utilization
Is Sensitive Filter ValueBoolean value indicating whether the session is for a sensitive resource (true) or a non-sensitive resource (false)trueUser Activity
Key ValueTag key and valueenvironment=developmentAuditor Insights
Last Login TimeDate and time of the user’s last login to StrongDM2024-08-19 23:10:30Utilization
Last Query DateDate of the user’s last query2024-08-05Utilization
Last Query TimeDate and time of the user’s last query2024-08-05 23:00:15Utilization
Latest Grant UtilizationPercentage of all access grants (temporary and permanent) that had a query associated with them as of the last refresh time80Executive Summary
Latest Resource UtilizationPercentage of active resources (resources with a grant) that had a query associated with them, as of the last refresh time56Executive Summary
Latest Session TimeDate and time of the user’s latest session2024-06-27 07:07:03Utilization
Latest User UtilizationPercentage of active users (users with a grant) that had a query associated with them, as of the last refresh time75Executive Summary
List of SourceSource of user activity, either web (Admin UI) or native (desktop app)webUtilization
Manually ApprovedNumber of manually approved requests23Access Workflows
NameName of resource, role, or workflowWeb StagingAccess Workflows, Auditor Insights, User Activity, Utilization
Name EmailUser name (first and last) and user emailBob Belcher -- bob.belcher@strongdm.comAccess Workflows, Auditor Insights, Utilization
Non Sensitive Query CountsNumber of queries run on non-sensitive resources100User Activity
NumNumber of sessions20User Activity
PendingNumber of pending requests0Access Workflows
Query CountNumber of queries run by the user9,000Executive Summary, Standing Access
Query CountsNumber of queries run by the user9,000User Activity
Request DurationDuration of the request2,700Access Workflows
RequestsNumber of requests made or approved12Access Workflows
Resource IDIdentifier of the resource669547882304912091Access Workflows
Resource UtilizationPercentage of active resources (resources with a grant) that had a query associated with them70%Executive Summary
ResourcesNumber of resources194Auditor Insights, User Activity
Resources CountNumber of resources530Auditor Insights
Roles CountNumber of roles33Auditor Insights
SensitiveNumber of sensitive resources accessed101User Activity
Sensitive ResourcesNumber of sensitive resources accessed101User Activity
Sensitive SessionsNumber of sessions in which sensitive resources were being accessed2User Activity
SessionsNumber of sessions142Executive Summary, User Activity
Start From TimeStart date and time of the request for access2023-10-04 12:22:04Access Workflows
StatusStatus of requestApprovedAccess Workflows
Status TimeStatus time of request2024-08-07 18:24:00Access Workflows
Tags CountNumber of tags24Auditor Insights
Tags IDIdentifier for tag1143611Standing Access, User Activity
Tags Key ValueTag key and valueEnvironment=ProductionUser Activity
Tags NamevalueTag key and valueEnvironment=ProductionStanding Access
Temporary Grants CountNumber of temporary grants25Auditor Insights
Time EndDate and time when the user session ended2024-08-06 11:29:40User Activity
Timed OutNumber of timed out requests3Access Workflows
Time StartDate and time when the user session started2024-08-05 20:11:20User Activity
UserFull name of the userAlice GlickAccess Workflows
User UtilizationPercentage of active users (users with a grant) that had a query associated with them85%Executive Summary
UsersNumber of users100Auditor Insights, User Activity
Users CountNumber of users100Auditor Insights
Users IDIdentifier of the user925244649940379957Standing Access, User Activity
Users NameFirst and last name of userBob BelcherStanding Access
Users Name EmailFull name and email address of the userBob Belcher -- bob.belcher@strongdm.comUser Activity
Valid Until Derived TimeValid until derived date and time2023-10-04 12:22:04Access Workflows
Valid Until TimeDate and time when the request for access expires2023-10-04 12:22:04Access Workflows
WorkflowName of workflowRW Admin WorkflowAccess Workflows