The Account Permissions Report is used for a detailed analysis of the access rights of a user or group account to scanned directories within the file system. It transparently displays which directories have access, which group memberships are used for this access, and the level of authorization.
The report is typically used in the following use cases:
- At the request of specialist departments, superiors or security officers: “Where is user X authorized?”
- To prepare for audits or reviews (e.g. by CSO or data owner)
- For the documentation or approval of cleanup measures
- For structured analysis and optimization of existing authorization assignments
A key benefit of this analysis is the comprehensive display of all important permission details. For each directory to which the account has access rights, the complete permission path is displayed. This includes both direct assignments and rights acquired through group memberships. Additionally, each individual Access Control Entry (ACE) can be analyzed to gain a complete understanding of the underlying permission structure.
Usage note: The account authorization report is in the standard migRaven Accessible to administrators. It is located in the navigation in the AD Analysis area:
Table of Contents
Step-by-step instructions
1. Select user or group
After calling the report, a search field (1) is displayed. Here, you can search specifically for a user or group whose permissions you want to evaluate.
2. Start report
After selecting a user or group account, the report is loaded by clicking on “Start” (2).
The right pane displays the number of directories to which the account has access rights. The filter bar appears on the left side with various options for refining the analysis.
3. Use filters
The results can be narrowed down using the following categories:
- authorization
Choice between direct and indirect authorizations - authorization
Filter by specific authorization types such as “Read and Execute”, “Modify” or “Full Control” - Allow/Deny
Differentiation between permitted and denied rights - Inheritance & Passing On
Evaluation of inherited permissions - Quality of authorizations
Identification of redundancies or inconsistent entries
4. Analyze indirect permissions
If indirect permissions have been enabled (4), a group selector can also be used. This allows you to specifically identify the groups through which a user receives their permissions. This facilitates the targeted analysis of nested group memberships.
Clicking on “Select Groups” (5) opens the Group Explorer in a new sidebar (6).
5. Export report or view in browser
Two variants are available for evaluation and further use:
Excel Report (7)
Contains all analyzed authorization entries in a structured format. The report is divided into several worksheets:
"Overview", “Directory permissions”, “Authorized Groups” and "Configuration".
This makes it ideal for documentation, archiving or distribution to IT managers, auditors or specialist departments.
Online report (8)
Interactive display in the browser with the set filters. The online report is particularly suitable for spontaneous analyses and meetings with specialist departments or data owners. Access is possible directly in the migRaven Web interface – no additional software or exports required.
Example: Excel Report
The Excel report is divided into several clear worksheets:
"Overview", “Directory permissions”, “Authorized Groups” and "Configuration".
In the spreadsheet “Directory permissions” You will find a detailed list of all directories to which the selected account has access rights. For each entry, the following information is displayed:
- through which group membership the authorization is granted,
- the complete authorization path,
- the depth of group nesting,
- the type of authorization (e.g. read and execute),
- as well as other relevant details on the authorization structure.
Note: In our example, the report contains only a few entries due to a dummy user. In a real-world environment, the analysis would be correspondingly more comprehensive.
Example: Online Report
The online report provides a clear, interactive display of all permissions of the selected user or group in the browser.
To view the permission status for a specific directory, the corresponding path must first be expanded. Only then will the corresponding columns be populated with the relevant information. This includes:
- Inheritance interruption: Indicates whether inheritance was broken at this point
- ACE path: The full path to the respective Access Control Entry
- Permissions: The specific rights granted
- Refused: Indicates whether the rights are denied
- Is Direct: Shows whether the permission was applied directly to the account
- Applied to: Specifies the scope of the permission (e.g. only this directory or also subdirectories or files)
The online report is particularly suitable for quick analyses in the browser and for joint viewing with specialist departments or data owners – without additional software or local exports.
