User Access Report
in Secret Server
Master one of Secret Server's most powerful governance tools. This interactive guide will walk you through everything you need to know โ from what the report does to how it supports audit, compliance, and security operations.
This guide is designed for Secret Server administrators, security analysts, IT auditors, and compliance officers who manage or oversee privileged access within their organisation.
Learning Objectives
By the end of this module, you will be able to:
Explain what the report is, what data it surfaces, and how it fits into the broader PAM framework in Secret Server.
Navigate the report's columns, filters, and export options with confidence.
Use the report to support audit requests, access reviews, and security investigations.
Walk through the end-to-end process of running, filtering, and sharing a User Access Report.
What Is the User Access Report?
The User Access Report in Secret Server is a built-in governance and audit report that provides a consolidated, on-demand view of which users have access to which secrets โ and exactly what level of access they hold.
It answers the most critical questions in privileged access managementPAM: A security discipline focused on controlling, monitoring, and auditing access to privileged credentials and systems.:
"Who can access what โ and what can they do with it?" These are the two fundamental questions of any access control audit. The User Access Report surfaces both in a single exportable view.
Context Within Secret Server
Secret Server stores and manages privileged credentials โ passwords, SSH keys, API tokens, certificates โ called Secrets. Access to these Secrets is controlled through a layered permission model involving:
| Entity | Description | Scope |
|---|---|---|
| Users | Individual accounts in Secret Server, local or synced via AD | Global |
| Groups | Collections of users; permissions can be assigned at group level | Global |
| Folders | Hierarchical containers for organising Secrets | Folder-level |
| Secrets | Individual privileged credentials or items | Secret-level |
The User Access Report aggregates all of these layers into a single, readable view โ showing the effective access each user has, regardless of whether that access was granted directly or inherited through group membership or folder permissions.
Where to Find It
The report is accessed via the Reports module in Secret Server:
(Admin view) Admin โ Reports โ Security Hardening & Compliance
The User Access Report is a standard built-in feature available to all Secret Server editions โ no additional modules or licensing are needed to access it.
Report Permissions
To run the User Access Report, a user must have the "View Reports" role permission in Secret Server. Typically this is available to:
Full access by default. Can run the report across all users, groups, folders, and secrets.
Delegated "View Reports" permission allows read-only access to all reporting functionality.
Can be granted access for ad-hoc investigations and periodic access reviews.
Do not have access to the report by default. Access must be explicitly granted via role assignment.
Key Features
The User Access Report is rich with features designed for both day-to-day operational use and formal compliance audits. Here is a comprehensive breakdown.
1. Effective Access Visibility
Unlike raw permission tables, the User Access Report surfaces effective access โ taking into account direct permissions, group memberships, folder inheritance, and workflow approvalsWorkflow approvals in Secret Server allow access to be gated behind an approval process, adding an extra layer of control for sensitive secrets.. What you see is what the user can actually do.
A user may not have direct access to a secret, but they may be a member of a group that does. Effective access reporting reveals this โ a critical distinction for compliance.
2. Report Columns & Data Fields
The report displays a structured set of columns that can be filtered and sorted:
| Column | Description | Use For |
|---|---|---|
| User Name | The Secret Server username | User identification |
| Display Name | Full name of the user | Readability in exports |
| Domain | AD domain or "Local" | Source system identification |
| Secret Name | Name of the credential/secret | Asset identification |
| Folder Path | Full folder hierarchy to the secret | Scope / context |
| Permission Type | View, Edit, Owner, or Approver | Access level audit |
| Inherited Via | How access was granted (direct/group/folder) | Access tracing |
| Active | Whether the user account is enabled | Dormant account detection |
3. Flexible Filtering
Administrators can narrow the report scope using multiple filter dimensions simultaneously:
Run the report for a specific user or all members of a selected group. Ideal for user-specific access reviews.
Scope the report to a specific folder or folder tree, showing all users who can access secrets within that scope.
Run the report against a specific secret to see every user who has access โ at any permission level.
Filter to show only users with "Owner" access, "View only", or any specific combination of permissions.
4. Permission Level Breakdown
Secret Server uses a four-tier permission model for secrets. The report clearly identifies which tier each user holds:
| Permission | Can View Password? | Can Edit Secret? | Can Manage Permissions? |
|---|---|---|---|
| View | โ Yes | โ No | โ No |
| Edit | โ Yes | โ Yes | โ No |
| Owner | โ Yes | โ Yes | โ Yes |
| Approver | โ Context-dependent | โ No | โ No |
5. Export & Share
Results can be exported in multiple formats for use in ticketing, audit submissions, or stakeholder reporting:
6. Integration with Secret Server Audit Logs
The User Access Report is complemented by Secret Server's comprehensive audit trail. Each time the report is generated, this action is logged โ providing meta-audit capability (audit of who ran the audit report, and when).
Business Benefits
The User Access Report is not just a technical report โ it delivers measurable business value across security, compliance, and operational efficiency dimensions.
Compliance & Regulatory Support
Many regulatory frameworks mandate that organisations be able to demonstrate who has access to what at any point in time. The User Access Report directly supports compliance with:
Demonstrates segregation of duties and least-privilege access for financial systems. Essential for IT General Controls (ITGC) audits.
Provides evidence that access to systems storing Protected Health Information (PHI) is appropriately restricted and monitored.
Supports Requirement 7 (restrict access to cardholder data) and Requirement 8 (identify and authenticate access) with documented access records.
Supports access control and data protection objectives by demonstrating enforcement of least-privilege principles across the organisation.
Operational Security Benefits
Regularly running the User Access Report helps teams identify and remediate over-privileged accounts โ users who have access to more than their role requires. This reduces the attack surface significantly.
The "Active" field flags disabled or inactive accounts that still hold secret permissions. These dormant accounts are prime targets for attackers and should be remediated promptly.
Unexpected access โ particularly Owner-level permissions on sensitive secrets โ can be an early indicator of insider threat activity or account compromise. The report enables rapid detection.
When an employee changes role or leaves the organisation, the report confirms whether their Secret Server access has been fully revoked or appropriately updated โ preventing stale access from persisting.
Time & Cost Efficiency
Before purpose-built PAM reporting, access reviews often required manual scripting, database queries, or multi-team collaboration to assemble. The User Access Report:
What previously required hours of manual data gathering can be accomplished in minutes. A complete access snapshot across thousands of secrets can be exported and reviewed in a single session โ significantly reducing audit preparation costs.
Most compliance frameworks require periodic (typically quarterly or annual) access certifications. Scheduled delivery of the User Access Report automates the data-collection step of this process, enabling reviewers to focus on decision-making rather than information gathering.
How to Run the Report
Follow these steps to generate a User Access Report in Secret Server. The process is the same whether you are running it on-premises or via the Delinea cloud platform.
Ensure you are logged in to Secret Server with an account that holds the "View Reports" role permission. If you cannot access the Reports menu, contact your Secret Server administrator.
Step-by-Step Walkthrough
From the main navigation bar, select Reports. In older UI versions, this may be under Admin โ Reports.
In the Reports library, navigate to the Security or Access category. Select "User Access Report" from the list.
Use the filter panel to scope the report. You can filter by User, Group, Folder, Secret, or Permission Level. Leave all filters blank to return all data across the entire system.
Click the "Run Report" button. Depending on the size of your Secret Server environment, results may take a few seconds to load. Large environments with thousands of secrets may take up to 30โ60 seconds.
Review the on-screen results table. Sort by any column by clicking the column header. Use the search box above the table to apply an additional keyword filter on the visible results.
Click the "Export" button and select your preferred format: CSV PDF Excel. The exported file will include the applied filters and a timestamp in the filename.
Click "Schedule" to set up automatic report runs. Configure the frequency (daily, weekly, monthly), recipients (email addresses), and format. Scheduled reports run automatically without any manual intervention.
Tips for Effective Reporting
Real-World Scenarios
The User Access Report is versatile. Here are the most common real-world scenarios in which security and compliance teams use it โ along with the recommended approach for each.
๐ Annual SOX IT General Controls Audit
An external auditor requests evidence that access to financial system credentials (e.g., database passwords for ERP systems) is restricted to authorised individuals only, with no shared or excessive permissions.
Approach: Filter the User Access Report by the folder containing financial system secrets. Export to PDF. Review for any accounts with Owner permissions who are not on the approved access list. Present the export as audit evidence. Schedule quarterly delivery for ongoing compliance.
๐ช Employee Offboarding Verification
A senior system administrator has left the company. The IT team has disabled their Active Directory account, but you need to confirm their Secret Server access has also been fully revoked.
Approach: Filter the User Access Report by the departing user's username. If any secrets still appear in the results, investigate how access persists (direct permission vs. group membership) and remediate accordingly. The "Inherited Via" column will indicate the exact source of any residual access.
๐ Quarterly Access Certification
Department heads are required to certify every quarter that their team members have appropriate access to privileged credentials. The process was previously manual and error-prone.
Approach: Schedule the User Access Report to run monthly and deliver group-scoped exports to each department head. Structure the email distribution by group, so each manager receives only the data relevant to their team. Managers review and sign off or request remediation.
๐ Security Incident Investigation
A security alert has fired on a production server. The incident response team needs to quickly determine which users had access to the server's privileged credentials at the time of the incident.
Approach: Filter the User Access Report by the specific secret (e.g., the server's local admin password). The report will immediately return the full list of users with access, their permission level, and how they obtained that access. Cross-reference with the audit log to determine who actually used the credential.
โ ๏ธ Dormant Account Cleanup
A periodic security review has flagged that some user accounts in Secret Server may belong to former contractors or unused service accounts, posing an unnecessary risk.
Approach: Run the User Access Report with the "Active = No" filter (if available) or export the full report and filter the "Active" column in Excel. Identify all secrets held by inactive accounts and work with the access owner to either remove permissions or formally document the exception.
Scenarios A and C are excellent candidates for scheduled report delivery. Set them up once and let Secret Server handle the data collection automatically โ freeing your team to focus on reviewing and acting on the results.
Knowledge Check
Test your understanding of the User Access Report. Answer all six questions โ you'll receive immediate feedback after each answer. Results are tracked for your completion certificate.
Training Complete!
You've completed the Secret Server User Access Report training. You now have the knowledge to leverage this powerful report for security, compliance, and operational efficiency.
What You've Learned
Understand what the User Access Report is and how it fits into the PAM governance framework.
Navigate effective access data, permission levels, filters, and export options with confidence.
Apply the report to compliance frameworks (SOX, PCI, HIPAA) and security operations.
Tackle real-world use cases including audits, offboarding verification, and incident response.
Recommended Next Steps
Explore related training modules: Secret Activity Reports, Role-Based Access Control in Secret Server, Configuring Approval Workflows, and Active Directory Synchronisation to deepen your PAM expertise.