When someone leaves our company, we need to be able to audit which shared credentials they had access to so we know which ones might need to be rotated.
Right now that means determining which groups they were in and then clicking through the user and group lists of every collection in the organization, one by one, by hand, to check which ones they’re on.
There really ought to be a way to say, “Show me everything that this user has access to.”
(We could implement this in the CLI if the CLI had full user / group / collection management functionality, but it doesn’t. I believe there’s a separate feature request open about that…)
I’m necroing this since it seems this is the main topic about this issue.
We have close to 600 passwords and are planning to do fine-grained access control so that a user sees only the minimum passwords they need for their work. It would be a big hassle to go through all this information manually when someone leaves the organization.
Any particular suggestions or recommendations around this kind of report that would make it the most useful?
What data elements and types of things would you think should be shown? What format (grid, matrix, grouped report, etc.)? Should elements be interactive or just a flat report? Any other ideas, thoughts or feedback?
A report will be good idea (when user leave for example).
And for everydays uses, a small popup can appear when click on “shared” icon, with list of groups/users who can access (Red for all access, green for hidden password access for example)
I’m not sure exactly what I would want to see in security audit reporting for access per-user, but being able to determine what access a specific user has (from their perspective) to a single, or multiple org’s, content, and then determine how that access is granted, would be a good starting point. I’m of the mindset this doesn’t necessarily need to only be built for staff-leaving scenarios too, as this can be useful for trimming existing-staff permissions, and compliance audits, etc. (sorry if I spooked anyone just now)
Any progress on this? I find it very tedious to write down the groups a user has acces, than the collections this group has access and than the items in the collections and than additionally the collections the user has direct access (without group membership) and also again the items in these collections. I tried to export all the data and stuffed it into a relational database (without the passwords) and generated reports out of that, but it’s always only a point in time and it is boring and not less tedious …
To be clear, while it would be useful to be able to see this information in the web vault, we also need a way to generate some sort of permissions audit report, preferably in an easily machine-readable format such as a CSV or spreadsheet.
On my end, I’d like to have a custom report for which I can filter:
Time period (from X to Y: Dec 1, 2022 to Feb. 3, 2023) OR since last cred update VS last time seen by user
Username
In fine, I’d like to identify which password was seen/exposed to a user since last time it was changed and/or in the last quarter or custom time-period.
I know Secret Server from Thycotic does that and it is really appreciated when an employee quits.