User management and permission reports
With product version 4.7.2, we added the ability to generate three separate reports to assess the systems users, groups, permissions & authorizations. The reports can be extracted in xlsx or csv format.
User and group report
The new user and group reportenables our customers to effortlessly export a list of the current users, groups, and group memberships. Therefore, this functionality targets audits, system assessments, and migrations to Celonis 4.
To create the export in xlsx or csv format, simply navigate to:
<celonis_url>/api/user_group_roles_report/xlsx<celonis_url>/api/user_group_roles_report/csv
Note: The user generating the export requires the following three roles (e.g., the initial sysadmin user):
System Administrator
Global Content Administrator
User Administrator
Content of the user and group report:
All users (incl. user information such as ID, name, e-mail, roles)
Groups the users are a member of (incl. group information such as ID, name, roles)
Effective roles of the users (taking into consideration the roles directly assigned to the users and the ones assigned to the users via group memberships)
Note: Any user can appear multiple times in the report if they are part of multiple groups.
Example (including selected columns):
User ID | User Name | System Admin | User Admin | Content Admin | Group ID | Group Name | G. System Admin | G. User Admin | G. Content Admin | Ef. System Admin | Ef. User Admin | Ef. Content Admin |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | sysadmin | true | true | true | true | true | true | |||||
2 | analyst | false | false | false | 12 | analysts | true | false | false | true | false | true |
2 | analyst | false | false | true | 14 | analysts_EMEA | false | false | false | true | false | true |
Permission report
In addition to the user report, a permission report can be generated. This report lists the content permissions (folder, analysis, data model) of every user and if access was granted on a user- or group level.
To create the export in xlsx or csv format, simply navigate to:
<celonis_url>/api/user_permissions_report/xlsx<celonis_url>/api/user_permissions_report/csv
Note: The user generating the export requires the following three roles (e.g., the initial sysadmin user):
System Administrator
Global Content Administrator
User Administrator
Content of the permission report:
All content objects (incl. object information such as ID, name, type)
All users permitted to the content objects (incl. user information such as ID, name, e-mail)
In case the access is granted on group level: ID and name of the group that provides the permission to the respective user
The effective permissions on the content (Administrate, Create Document, Edit Document, View Document, Create Data Model, Edit Data Model, Use Data Model)
Further information about the project the content object is located in (ID, name)
The effective roles of the respective user (taking into consideration the roles directly assigned to the user and the ones assigned to the user via group memberships)
Note: Any given content object will appear multiple times in the report if more than one user can access it.
Example (including selected columns):
Entry ID | Entry Name | Entry Type | User ID | User Name | Group ID | Group Name | Create | Edit | View | Project ID | Project Name | Ef. Content Admin |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
22 | P2P Analysis | Document | 2 | analyst | 12 | analysts | true | true | true | 1 | P2P | false |
23 | P2P_EMEA | Folder | 2 | analyst | false | false | true | 1 | P2P | false | ||
24 | P2P DM | Data Model | 4 | engineer | true | true | true | 1 | P2P | false |
Authorization report
Lastly, an authorization report can be generated. This report lists authorization objects that have a manual value mapping (authorization objects querying databases are not taken into consideration here)
To create the export in xlsx or csv format, simply navigate to:
<celonis_url>/api/user_authorizations_report/xlsx<celonis_url>/api/user_authorizations_report/csv
Note: The user generating the export requires the following three roles (e.g., the initial sysadmin user):
System Administrator
Global Content Administrator
User Administrator
Content of the authorization report:
All data models with authorization objects assigned to them (incl. information such as ID, name)
All users the objects are assigned to (incl. information such as ID, name, e-mail)
All authorization objects with manual value mapping (incl. information such as name, authorized table, authorized column, and authorized values)
The projects the respective data models are located in (incl. information such as ID, name)
Note: Any authorization object will appear multiple times in the report, if
it is assigned to more than one user or data model
multiple values are permitted to the user
Example (including selected columns):
Data Model ID | Data Model Name | User ID | Username | Authorization Name | Table | Column | Value | Project Name | Project ID |
|---|---|---|---|---|---|---|---|---|---|
24 | P2P DM | 2 | analyst | P2P_EMEA | EKKO | MANDT | M1 | 1 | P2P |
24 | P2P DM | 2 | analyst | P2P_EMEA | EKKO | MANDT | M2 | 1 | P2P |
25 | P2P DM | 4 | engineer | P2P_EMEA | EKKO | MANDT | M2 | 1 | P2P |
26 | AP DM | 4 | engineer | AP_APAC | EKKO | MANDT | M2 | 2 | AP |