Permissions Audit Export
The Permissions Audit Export lists who has permissions for specific files and folders in your site. The export is the system of record when you need to confirm that people and systems only have the access they need.
Site Administrators run the report when preparing for a security review or audit. Reviewers commonly ask for a list of who can access what, and the export produces that list directly.
The report is also a fast way to verify access during personnel changes. If a team member has left or changed roles, the export shows where their permissions still exist so you can clean them up. The same report helps when a user reports that they cannot access something they need, or that they can access something they should not.
The export is available to Site Administrators in the web interface.
Only Users with Permissions Are Included
The export includes only users who have been granted permissions for a site. Parent Site Administrators are never included, because they are never granted folder permissions directly. Users who exist in your site but have not been granted access to any folders are also excluded.
When the report runs for a child site, users from the parent site who have been granted Site Administrator access to the child site are included. Parent Site Administrators remain excluded.
Running the Export
Like the other export options, the Permissions Audit Export runs from the web interface and produces a CSV file. If the report takes a long time to generate, you can close the message and you will receive an email when the file is ready.
When you run the export, you choose whether to group the output by user or by path. The grouping changes the column order, the sort order, and how each row is interpreted. The two groupings can also produce different row counts for the same site, depending on how permissions are assigned.
Group by User
When you group by user, the report contains one row per user per unique path where that user has been granted a permission. All of the user's permissions for the path are combined into that single row.
The permission_type, group_id, and group_name columns can contain lists of items in this grouping. The items in each list are presented in a consistent order within the row, so you can match values across columns: the first permission_type corresponds to the first group_id and the first group_name, and so on.
Group by Path
When you group by path, the report contains one row per assigned path per user or group that has been granted permissions to that path.
When permissions are granted to a group, the user IDs, usernames, and user disabled flags for every member of that group are listed together in one row.
Exported Columns
Most of the following columns appear in both versions of the export. The column order differs depending on whether the export is grouped by user or by path.
| Column | Notes |
|---|---|
| path | The associated path of the permission. |
| path_site | The path's site's name. |
| username | User name(s) for the permission. |
| user_id | User ID(s) granted the permission. |
| user_disabled? | True when user account has been disabled. False when user account is active. |
| user_email | The email address(es) for the user(s). |
| user_created_at | Timestamp of when the user was added to the site. |
| user_last_active_at | Timestamp of user's most recent activity time, which is the latest of most recent login, most recent API use, enablement, or creation. |
| user_site | The name of the site for the user ID(s). |
| permission | List of permission levels granted. |
| recursive? | True when permission applies to sub-folders of the path. False if permission only applies to that specific path. |
| permission_type | How the permission was assigned. |
| admin? | Whether the permission includes admin access to the path |
| full? | Whether the permission includes full permission to the path |
| write? | Whether the permission includes write to the path |
| read? | Whether the permission includes download from the path |
| list? | Whether the permission includes list items in the path |
| share? | Whether the permission includes create share links with the path |
| group_id | Group(s) granting access for the path / user |
| group_name | Group ID(s) granting access for the path / user |
| group_site | Name of the site for the group(s) |
Permission
The values in the permission column match the developer documentation for Permissions.
The list of permissions reflects every permission granted to the user, or to group members, for the path. If a user gains the same permission more than once for the path, the permission is repeated in the list.
Permission Type
This column reflects how the permission was assigned. Permissions assigned directly to users are marked as user. Permissions assigned to groups are marked as group.
When the report is grouped by user, this column can contain multiple values, because a user can receive the same permissions multiple times through group-level assignments.
Permission Fence
When a permission fence exists that affects a recursive permission, the folder of the fence is listed in the column.
That column is included only when at least one permission fence exists.
Parent and Child Sites
Users and groups in parent sites can be granted permissions to paths in any child site, and the permissions audit export reflects those assignments.
When you run the export for a parent site, the output includes permissions from the parent site and from every child site. The path_site, user_site, and group_site columns identify the site for each path, user, and group in every row.
When you run the export from within a child site, the output covers only the paths in that child site. Parent site users and groups that have been granted access to the child site are included. The same path_site, user_site, and group_site columns identify which site each path, user, and group belongs to.