User Inactivity Analysis¶
The User Inactivity Analysis tab shows the User Inactivity report, which lists users who have access to selected data objects, but have not queried the data objects within a given timeframe. This lets you review users who are not using their access to data and who should possibly have this access revoked.
Set the Report Time Range¶
Select a range for the report in the range box or specify a custom range by selecting the Use custom range checkbox and supply a custom range in the range box. If you specify a custom range, select either range in seconds or range in days to indicate the range time units. The specified time range is used to filter the report.
For this report, "having access" to a data object means that a user:
- has read access on the relevant database/dataset,
- or has read access on an object within the relevant database/dataset (e.g. a column),
- or has inherited read access on the relevant database/dataset due to having read access on a higher-level object (for example, a user who has
ALLaccess on the entire catalog)
Note: Users who only have authorization to view or edit data object metadata but do not have authorization to view the data itself do not appear in this list.
The report has several columns:
- User: The username of a user who has not accessed the relevant database or dataset within the specified timeframe.
- Last accessed: The last recorded time that this user successfully accessed the relevant database or dataset. This column may display Never queried, which means that Okera has no record of this user ever running a successful query for the relevant database/dataset.
- Role granting access: Any roles this user belongs to which grant read access for the relevant database or dataset. This column indicates how a user acquired access to these data objects. You can click on any role to view it on the Roles page and see a full list of the permissions it grants. To learn more about roles, see Managing Roles in the UI.
- Groups containing user: Users cannot be assigned directly to roles and must instead be assigned via a group. This column shows all groups that include the user and are assigned to roles listed in Role granting access. This column shows how a user was assigned to these roles. You can revoke a user's access to the database or dataset by removing the user from these groups.
- Access levels: The types of access this user has for the relevant database or dataset. Some users may have direct access to the relevant database or dataset, while others may inherit their access by having access to a higher-level data object, such as the catalog. Users may also have access to specific objects within the relevant database or dataset, such as a column.
Overall, this report displays a list of users who have not accessed the database or dataset within the specified timeframe and should possibly have their access revoked. It also shows the groups and roles that these users should be removed from to have their access revoked.
This report can be downloaded as a CSV file by selecting the Download as CSV button.
You might see this message in red on your report:
This warning indicates that your Okera instance has precise information for only a portion of the selected time range. Consequently, it will not have had enough time to collect user data, so your report may be inaccurate and incomplete. Okera recommends that you wait the number of days (or seconds) specified for the time range before running this report. For example,if you'd like to run this report for the time range
30 days or more, you should wait for 30 days after the Okera deployment date before running this report. This message updates every day to inform you how many days of data have been collected.