Reports Beta
Last modified on September 23, 2024
This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.
This feature is currently in closed-access beta. Functionality and documentation may change. Contact StrongDM for more information.
StrongDM Reports offer rich dashboards providing in-depth analysis of access grants to resources, organization posture and risks, and more. These dashboards can help StrongDM administrators and auditors ensure compliance and detect potential issues.
This article describes the dashboards that are currently in beta, which are either new or updated:
- Updated: Auditor Insights
- Updated: Standing Access
- Updated: User Activity
- New: Utilization
You still have access to all other reporting dashboards in the Admin UI. Please see the Reports documentation for information about the following:
All Dashboards
Dashboards may be viewed by users with the Administrator or Auditor permission level.
To view dashboards, log in to the Admin UI, and select Reports from the main navigation. The All reports tab displays all dashboards currently available to your organization:
Click on a dashboard card to view its contents. For each dashboard, you can do the following:
- View all metrics specific to the dashboard.
- Display data based on a specified date range.
- Search the data in your dashboards by manipulating the filters, or click into specific items in widgets to filter the displayed information further.
The following capabilities are coming soon:
- Download data as a CSV or PDF file.
- Schedule delivery of the dashboard report to a specified destination at a later time, in a variety of formats (PDF, zipped CSV, PNG).
- Clear the cache and refresh dashboard data.
- Set email alerts for any individual widget.
Search and Filter
The Search field embedded into dashboard cards allows you to find and display specific data, such as the name of a user accessing a resource, a specific resource type, or a tag. You can enter any text or string into the Search field.
Similarly, filters allow you to display specific data, such as for date or temporary grants. Every active filter is presented at the top of each dashboard. You can select filters from multiple dashboard cards to narrow results even further.
When set, the filters are encoded into the dashboard’s URL (for example, https://app.strongdm.com/app/reports/all-reports/dashboard/auditor?Date=7+day), enabling you to share or bookmark your filter configuration.
Sensitive Resource Settings
The Sensitive Resource Settings tab is where you define which resources are considered sensitive. You can use either a resource tag or resource name or substring to define a sensitive resource. After saving your sensitive resource configuration, any dashboard that you view filters resources based on your tag or substring value setting.
What is a sensitive resource?
A resource may be considered sensitive if it hosts, stores, or transmits sensitive data. Sensitive data is information that is stored, processed, or managed by an individual or organization; it is information that is confidential and only accessible to authorized users with proper permission, privileges, or clearance to view it.
Some examples of sensitive data include financial information, protected health information (PHI), credential data, customer information, trade information, proprietary information, government information, and certain types of personally identifiable information (for example, Social Security numbers and bank account numbers).
Because hosting, storing, or transmitting sensitive data can pose considerable security and legal risks to any organization, it’s important to determine criteria for what data is, identify resources that have it, determine which users can access it (via those resources), and know which users are actually accessing sensitive resources and when.
StrongDM already helps organizations maintain sensitive data protection through privileged access control to sensitive information systems and careful management of user authentication processes. StrongDM, however, does not know what is on your resources or how you classify them. It is up to you to identify sensitive resources. The Reports provide the tools that enable you to specify which of your organization’s resources are considered sensitive.
Designate sensitive resources by resource tag
When designating sensitive resources by resource tag, enter your desired tag in the format <KEY>=<VALUE> (for example, sensitive=true). The value is optional and may be left empty (for example, sensitive=). You may enter up to five tags, and if a resource has any of the specified tags, it is designated as sensitive.
Tag details
- Maximum key length: 128 UTF-8 characters
- Maximum value length: 256 UTF-8 characters
- Maximum 50 tags per entity
- Allowed characters: letters, numbers, and spaces representable in UTF-8, and the following characters:
+ - = . _ : / @ - Case-sensitive:
team=StrongDMis different fromteam=strongdm - An entity can only have one value of a key at a time (for example, if you have two tags,
sensitive=yesandsensitive=no, you can only assign one of them to a resource).
Designate sensitive resources by resource name substring
When designating sensitive resources by resource name substring, enter any substring value (for example, mysql-02-sensitive or Postgres-exampleapp-4). The system checks for this value in all resource names and displays the matched resources in dashboards.
Auditor Insights
The Auditor Insights dashboard displays information about all the roles, users, resources, and tags in an environment. This information helps companies to run external audits and understand who has access to which resources. StrongDM admins can use this information to show compliance with auditor requirements, as well as to understand which areas of their organization have more access than needed.
With the Auditor Insights dashboard, StrongDM admins and auditors can:
- View the many relationships between roles, users, resources, and tags.
- View the roles assigned to a user or set of users.
- View the roles that grant access to a resource or set of resources.
- View the roles that grant access to resources with a tag or set of tags.
- View the resource types and specific resources that a user or set of users can access.
- View the users who have access to a resource or set of resources.
- View individual grants.
- Filter results for a specific time period.
- Filter results to show access information from only temporary grants or permanent grants.
- Click on any role, user name, resource name, resource type, tag, access type, or date to filter results even further.
- Export data in the format that works for your organization to meet audit needs.
The following Auditor Insights metrics are available in exported dashboards.
| Metric name | Description | Example |
|---|---|---|
| ID | Resource ID, role ID, tag ID, or user ID | 5406577942789366843 |
| Key Value | Tag key and value | environment=development |
| Name | Resource name or role name | Example |
| Name Email | User name (first and last) and user email | Bob Belcher -- bob.belcher@strongdm.com |
| Resources | Number of resources | 194 |
| Resources Count | Number of resources | 530 |
| Roles Count | Number of roles | 33 |
| Tags Count | Number of tags | 24 |
| Temporary Grants Count | Number of temporary grants | 25 |
| Users | Number of users | 100 |
| Users Count | Number of users | 113 |
Standing Access
The Standing Access report provides information about how users received access (such as through permanent grants from roles, or temporary grants from workflows or policies), how long users have had access to resources, and whether or not users have used the access they’ve been given. In addition, it provides suggested actions to take to reduce unused access. This information is useful for assessing security risks and determining which users actually need access to certain resources and whose access should be revoked or converted to temporary access.
The Standing Access report presents information in the following tabs: Scores, Users, Roles, Resources, and Remediations. By clicking into these Standing Access report tabs, StrongDM admins can view:
- Scores for Just-in-Time (JIT) access (that is, access granted upon request or on demand), role utilization, and overall access, and how they are calculated
- JIT Access and Role Utilization scores for each user
- Utilization score and JIT resource overlap for each role
- Distribution of your resources based on the origin of the grant
- Remediation steps to remove users and resources from roles in order to reduce standing access
Scores
The Scores area of the Standing Access report uses data from the access grants and user sessions from the last 90 days to calculate three scores for your organization: JIT Access Score, Role Utilization Score, and Overall Score. These scores can help you to quickly glean the amount of standing access granted to users (where standing access is a permanent access grant created when a user or a resource is assigned to a role) versus the amount of temporary access granted to a user (where access is given upon request and approval, for a specified, limited amount of time).
The JIT Access Score evaluates all of your grants, and calculates the percentage of grants that provided access on a temporary basis versus the grants derived from a role. A JIT Access Score of 100% means your organization has no standing access because all of your grants provide access on a temporary basis.
The Role Utilization Score calculates the percentage of permanent grants where the user accessed the resource. A Role Utilization Score of 100% means all of your permanent grants are utilized.
The Overall Score is an average of the JIT Access Score and Role Utilization Score.
The Standing Access Report is meant to assist StrongDM administrators to reduce the amount of standing access by changing permanent grants from roles into temporary grants from workflows and policies, particularly those permanent grants that often go unused.
Standing Access metrics
The following Standing Access metrics are available in exported dashboards.
| Metric name | Description | Example |
|---|---|---|
| Cumulative Standing Access | Cumulative number of days of standing access to the resource | 56 |
| Datasource ID | Identifier of the datasource | 5841011655724994212 |
| Datasource Name | Name of the datasource | Dev-admin |
| Query Count | Number of queries run by the user | 9,000 |
| Sessions | Number of sessions | 300 |
| Tags ID | Identifier for tag | 1143611 |
| Tags Namevalue | Tag key and value | Environment=Production |
| Users ID | Identifier of the user | 925244649940379957 |
| Users Name | First and last name of user | Bob Belcher |
User Activity
The User Activity dashboard provides details about user sessions. Admins can use the dashboard to troubleshoot issues with users or resources by filtering to the relevant time and context. In additions, admins can use it to get a detailed understanding of what users access or who is accessing specific resources and resource types.
With the User Activity dashboard, StrongDM admins can:
- Get an at-a-glance view of sessions within StrongDM.
- Find problematic sessions based on concurrency and length of sessions.
- Filter results by user, resources, resource types, and tags to review specific session activities.
- Filter results to show queries for sensitive resources only.
- View individual sessions and grants.
- Select a time range of up to 13 months for review.
- Export data in the format that works for your organization.
The following User Activity metrics are available in exported dashboards.
| Metric name | Description | Example |
|---|---|---|
| Cumulative Query Counts | Cumulative number of queries run by the user | 100 |
| ID | Identifier of resource | 1092327429073100416 |
| Is Sensitive Filter Value | Boolean value indicating whether the session is for a sensitive resource (true) or a non-sensitive resource (false) | true |
| Name | Name of resource | Web Staging |
| Non Sensitive Query Counts | Number of queries run on non-sensitive resources | 100 |
| Num | Number of sessions | 20 |
| Query Counts | Number of queries run by the user | 9,000 |
| Resources | Number of resources | 194 |
| Sensitive | Number of sensitive resources accessed | 101 |
| Sensitive Resources | Number of sensitive resources accessed | 101 |
| Sensitive Sessions | Number of sessions in which sensitive resources were being accessed | 2 |
| Sessions | Number of sessions | 142 |
| Tags ID | Identifier for tag | 1143611 |
| Tags Key Value | Tag key and value | Environment=Production |
| Time End | Date and time when the user session ended | 2024-08-06 11:29:40 |
| Time Start | Date and time when the user session started | 2024-08-05 20:11:20 |
| Users | Number of users | 100 |
| Users ID | Identifier of the user | 925244649940379957 |
| Users Name Email | Full name and email address of the user | Bob Belcher -- bob.belcher@strongdm.com |
Utilization
The Utilization dashboard provides information about the activity and inactivity of users and resources within your StrongDM environment. Admins can use this dashboard to identify stale or unused users, resources, and roles.
With the Utilization dashboard, StrongDM admins can view:
- User activity by IP address
- Latest query per user
- Latest query per resource
- Roles that are active but are unassigned to resources
- Resources that have no roles assigned to them
- Users who have no roles assigned to them
- Resources that have never had activity
- Users who have never had activity/sessions
- All the above information for various date ranges, including:
- Greater than 90 days ago
- Less than 90 days ago
- Less than 30 days ago
- Less than 7 days ago
- Less than 1 day ago
The following Utilization metrics are available in exported dashboards.
| Metric name | Description | Example |
|---|---|---|
| Created Time | Date and time when the user was created in StrongDM | 2024-03-13 19:25:11 |
| ID | Identifier of resource, role, tag, user, or workflow | 913974183375011223 |
| IPs | IP address of user | 12.123.123.123 |
| Last Login Time | Date and time of the user’s last login to StrongDM | 2024-08-19 23:10:30 |
| Last Query Date | Date of the user’s last query | 2024-08-05 |
| Last Query Time | Date and time of the user’s last query | 2024-08-05 23:00:15 |
| Latest Session Time | Date and time of the user’s latest session | 2024-06-27 07:07:03 |
| List of Source | Source of user activity, either web (Admin UI) or native (desktop app) | web |
| Name | Name of resource, role, tag, user, or workflow | Dev Role |
| Name Email | User name (first and last) and user email | Bob Belcher -- bob.belcher@strongdm.com |