When someone leaves our company, we need to be able to audit which shared credentials they had access to so we know which ones might need to be rotated.
Right now that means determining which groups they were in and then clicking through the user and group lists of every collection in the organization, one by one, by hand, to check which ones they’re on.
There really ought to be a way to say, “Show me everything that this user has access to.”
(We could implement this in the CLI if the CLI had full user / group / collection management functionality, but it doesn’t. I believe there’s a separate feature request open about that…)
I’m necroing this since it seems this is the main topic about this issue.
We have close to 600 passwords and are planning to do fine-grained access control so that a user sees only the minimum passwords they need for their work. It would be a big hassle to go through all this information manually when someone leaves the organization.
Any particular suggestions or recommendations around this kind of report that would make it the most useful?
What data elements and types of things would you think should be shown? What format (grid, matrix, grouped report, etc.)? Should elements be interactive or just a flat report? Any other ideas, thoughts or feedback?
A report will be good idea (when user leave for example).
And for everydays uses, a small popup can appear when click on “shared” icon, with list of groups/users who can access (Red for all access, green for hidden password access for example)
I’m not sure exactly what I would want to see in security audit reporting for access per-user, but being able to determine what access a specific user has (from their perspective) to a single, or multiple org’s, content, and then determine how that access is granted, would be a good starting point. I’m of the mindset this doesn’t necessarily need to only be built for staff-leaving scenarios too, as this can be useful for trimming existing-staff permissions, and compliance audits, etc. (sorry if I spooked anyone just now)
Access Auditing Reports
It would be helpful, when working on the scope of an organization, to be able to run a report for assisting audits that allows for an overview of who has access to which collections.
Ideally, one should be able to view each report in the form of a matrix, and download it in a portable format such as a CSV file.
Because user access can occur either directly through association to a collection or transitively via group membership, multiple reports would likely be required.
Depending on the organization, the number of elements on each axis may differ significantly. Therefore, being able to transpose the matrix would be nice, albiet not required.
Report 1: Collections vs Groups
Plot collections on one axis, groups on the other, and mark the intersecting cells where groups have been granted access to a collection.
Report 2: Users vs Groups
Plot users on one axis, groups on the other, and mark the intersecting cells where a user has been granted access to a group. Optionally suppress user entries where users have no access to any groups.
Report 3: Users vs Collections (direct access)
Plot collections on one axis, users on another, and mark intersecting cells where a user has been granted DIRECT access to a collection. Optionally suppress user entries where users have no direct collection grants.
Report 4: Users with “Everything” Access
A simple list of users that have been granted the “all items” level of access.
Report 5: Users with No Access
A simple list of users that are not members of any groups, and do not have direct access to any collections.
Any progress on this? I find it very tedious to write down the groups a user has acces, than the collections this group has access and than the items in the collections and than additionally the collections the user has direct access (without group membership) and also again the items in these collections. I tried to export all the data and stuffed it into a relational database (without the passwords) and generated reports out of that, but it’s always only a point in time and it is boring and not less tedious …
Hey @MartinAtFox the team is working on a refresh of the admin web vault to improve visualization of relations between users and items/collections.
Ok, that sounds promising! Any rough timeframe for this feature?
To be clear, while it would be useful to be able to see this information in the web vault, we also need a way to generate some sort of permissions audit report, preferably in an easily machine-readable format such as a CSV or spreadsheet.
On my end, I’d like to have a custom report for which I can filter:
Time period (from X to Y: Dec 1, 2022 to Feb. 3, 2023) OR since last cred update VS last time seen by user
In fine, I’d like to identify which password was seen/exposed to a user since last time it was changed and/or in the last quarter or custom time-period.
I know Secret Server from Thycotic does that and it is really appreciated when an employee quits.
Me too, that would be great.