Assets Access Report
The Assets Access Report provides a comprehensive view of who has access to what assets within your environment, what level of permissions they have, and how those permissions were granted. It is designed to assist site administrators, auditors, and identity governance teams in understanding and managing access rights across all site assets.
Purpose
The Assets Access Report is designed to answer key permission questions for each asset:
- Who can access it? Lists all users with explicit or inherited access to the asset.
- How did they get access? Shows the full group path that led to the access being granted, if permission was granted via group membership.
- What can they do? Displays the specific permissions granted to each user.
This allows organizations to:
- Present auditors with an authoritative snapshot of access rights.
- Detect orphaned or unused ("dead") access.
- Support access review and certification processes as part of identity governance.
Report Structure
Each row in the Access Report corresponds to a single asset. The following columns are included:
| Column | Description |
|---|---|
| Asset | The display name of the asset. This is a clickable link that opens the asset's details. |
| Type | The asset type (e.g., Windows Host, WEB Portal, Unix Host). |
| Location | The full hierarchical path to the asset within the site structure. Useful for understanding placement within business units. |
| ACL | A detailed breakdown of each user with access, how access was granted via group membership, and the specific permissions. See below for ACL details. |
ACL (Access Control List) Details
The ACL column provides a structured list of all users with access to the asset. Each ACL entry includes:
- User / Directory: The specific user, and their origin user directory, that has access. For example:
bwilliams@contoso.com / ADprod - Group Path: The inheritance chain showing how the access was granted via group(s). If permission is assigned directly to a user, rather than via group membership, the Group Path will not be included.
- This displays the full group path (which may include nested groups) that ultimately resolve to the individual user.
- Each step in the chain is shown to provide transparency into how the permission flows.
- Permissions: The exact permissions that have been assigned (e.g.,
Asset Viewer, No Container Permissions, No Execute Permissions).
Example ACL Entry:
- User:
bwilliams@constoso.com - User Directory:
ADprod - Group Path:
Global IT Team / local , Privileged Access Group / local , Database Admins / ADprod - Permissions:
Asset Viewer, Container Viewer, No Execute Permission
Full ACL Example Entry:
bwilliams@contoso.com (Brian Williams) / ADprod < Global IT Team / local , Privileged Access Group / local , Database Admins / ADprod -> Asset Viewer, Container Viewer, No Execute Permission
Explanation:
The user Brian Williams (bwilliams@contoso.com) belongs to the externally integrated Active Directory with the name ADprod and has been granted the following permissions on the asset MSSQL Prod 01:
Asset ViewerContainer ViewerNo Execute Permission
These permissions are not assigned directly to the user, but are inherited through a nested group structure, as follows:
- The user is a member of the
Database Adminsgroup in theADproddirectory. - This group is included in the local group
Privileged Access Group. - That group, in turn, is included in the top-level local group
Global IT Team. - The permissions are assigned at the level of the
Global IT Team, and inherited down the chain to the user.
This structure demonstrates indirect access through nested group membership across both local groups and an external directory group, which is fully resolved in the Access Report.
Alternatively, if this same user was granted the same permission to this same asset, but was directly given permission, rather than through a nested group structure, their ACL details would appear as:
bwilliams@contoso.com (Brian Williams) / ADprod -> Asset Viewer, Container Viewer, No Execute Permission
Report Controls
The Filter control enables users to refine report rows based on specified search criteria.
The Pagination control enables users to navigate between report pages, adjust page size, and view the total number of rows alongside the current rows displayed on the page.
The Sort control is indicated by up or down arrows next to sort-able report column names when hovering over them. Clicking on the sort control will refresh the report, applying either ascending or descending sorting based on the current selection visible on the active sort column.
The Column filter control, represented by a funnel icon next to report columns that support filtering, is located to the left of the column title. It presents filtering options specific to each selected column. The current filter selection for a column is displayed in the Conditions box at the top right corner of the report. The funnel icon corresponding to the active filter column is highlighted in the report header. Use the "Clear Filters" button to reset all filter controls to their default values.
The Export control allows users to download report data in their chosen format (CSV or PDF). If specific report rows are selected using checkboxes on the left side of each row, the exported file will only include these selected rows. Otherwise, it will include all rows that meet the current filter and search criteria.
The Details control allows expanding each row to display all fields, including those not initially selected for the tabulated report columns.
The Include in List / Exclude from List control allows users to add or remove a field from the list of columns displayed in the tabulated report. This control is represented by an indicator (a green check mark for included columns or a red cross for excluded ones) located to the right of the field name within the expanded details panel of the report. Clicking on the indicator updates the visibility of the column in the list accordingly.