When someone leaves our company, we need to be able to audit which shared credentials they had access to so we know which ones might need to be rotated.
Right now that means determining which groups they were in and then clicking through the user and group lists of every collection in the organization, one by one, by hand, to check which ones they’re on.
There really ought to be a way to say, “Show me everything that this user has access to.”
(We could implement this in the CLI if the CLI had full user / group / collection management functionality, but it doesn’t. I believe there’s a separate feature request open about that…)
I’m necroing this since it seems this is the main topic about this issue.
We have close to 600 passwords and are planning to do fine-grained access control so that a user sees only the minimum passwords they need for their work. It would be a big hassle to go through all this information manually when someone leaves the organization.
Any particular suggestions or recommendations around this kind of report that would make it the most useful?
What data elements and types of things would you think should be shown? What format (grid, matrix, grouped report, etc.)? Should elements be interactive or just a flat report? Any other ideas, thoughts or feedback?
A report will be good idea (when user leave for example).
And for everydays uses, a small popup can appear when click on “shared” icon, with list of groups/users who can access (Red for all access, green for hidden password access for example)
I’m not sure exactly what I would want to see in security audit reporting for access per-user, but being able to determine what access a specific user has (from their perspective) to a single, or multiple org’s, content, and then determine how that access is granted, would be a good starting point. I’m of the mindset this doesn’t necessarily need to only be built for staff-leaving scenarios too, as this can be useful for trimming existing-staff permissions, and compliance audits, etc. (sorry if I spooked anyone just now)