TATER TATER Insights - Centralized Reporting
The 5th sister app in the TATER suite. Centralized reporting for compliance, service desk, HR, vendor, audit, and licensing - with group-based access control. Last updated 2026-06-13
What is TATER Insights?
TATER Insights consolidates the platform's deep, filterable, exportable reports into a single app. Quick at-a-glance dashboards remain in their natural homes (TATER Security overview, TATER Ops live board, TATER Manage fleet view, My TATER personal dashboard) - those are where you already look first thing in the morning. Insights is where you go when you need to answer a question that requires filtering, slicing, comparing, or downloading.
It lives at insights.tatersecurity.com, uses the same Microsoft Entra sign-in as every other TATER app, and is included with every subscription - no extra license needed.
How to get there
- From any TATER app sidebar: the bottom row of icons (5-app switcher) - click the bar-chart icon.
- From login: visit insights.tatersecurity.com directly; you'll be prompted to sign in if you aren't already.
- From My TATER: profile menu → Open TATER Insights (when configured).
Built-in reports
A growing catalog of built-in reports across Compliance, Service Desk, HR, Vendor, Audit, and Platform categories. The headline reports:
Compliance Posture
Category: Compliance · Access: Open to any authenticated user in the org
The latest scan per scan type (M365 Cloud, Endpoint, etc.) is summarized into overall pass rate, framework-by-framework pass rate, top 25 failing controls, and a 60-day override-expiry watchlist. If you have risk acceptances that lapse soon, the report shows a yellow banner at the top.
Control Evidence Freshness
Category: Compliance · Access: Open to any authenticated user in the org
How current each control's evidence is. Every catalog control is bucketed by the age of its most recent evidence - the newest scan that evaluated it or the date a risk-acceptance / manual-verification was recorded: Fresh (under 90 days), Aging (90-180 days), Stale (over 180 days), or No Evidence. Risk-acceptances and manual-verifications that are expiring within 30 days or already expired are flagged separately. The data table is the "re-evidence before your next audit" worklist, and a freshness-distribution donut sits on top. An AI agent can pull the same data with the list_evidence_freshness MCP tool and chain it into verify_manual_control, trigger_remediation, or create_risk_acceptance to close the gaps.
Risk Register Summary
Category: Compliance · Access: Auditor+ role, OR membership in risk-viewer / compliance-viewer group
All risks counted by impact level (Critical / High / Medium / Low) and by status (Open / Mitigated / Accepted / Transferred / Avoided). The data table shows the top 30 open risks sorted by age - useful for "what's been sitting around without a treatment plan?".
Document Review Completion
Category: Compliance · Access: Auditor+ role, OR membership in compliance-viewer / hr-viewer group
Per posted document (employee manuals, HR policies, SOPs): assigned vs. signed, completion %, document count, and the list of outstanding reviewers. Items past their expiry with signatures still outstanding are flagged OVERDUE, and a completion-% bar chart sits on top. See the Document Reviews guide.
Service Desk Performance
Category: Service Desk · Access: any authenticated user; rows filtered by your group's Ops categories
Volume per category, mean time to resolution (MTTR), SLA compliance percentage. Defaults to the last 30 days; period selector lets you adjust 7 / 14 / 30 / 60 / 90 / 180 / 365. If you're in the service-desk-hr group, you'll see HR / Onboarding / Off-boarding tickets only. If you're in service-desk-ap, you'll see AP / Finance tickets. Admins (Admin / OrgAdmin / SuperAdmin) see everything.
Helpdesk Drilldown
Category: Service Desk · Access: any authenticated user; rows filtered by your group's Ops categories
Per-ticket detail - title, status, priority, assigned, requester, opened/closed dates - filtered to your accessible categories. Useful for an end-of-week roll-up. Defaults to a 14-day window.
Survey Responses & CSAT
Category: Service Desk · Access: Auditor+ role
Per survey: responses collected, response rate vs. assigned staff, and the headline score - average rating or computed NPS - for surveys that include a rating / NPS question. Covers both surveys assigned to staff and CSAT collected automatically when tickets close, with a responses-by-survey bar chart on top. See the Surveys guide for building and distributing surveys.
Training Compliance
Category: HR · Access: Auditor+ role, OR membership in hr-team / training-admin / compliance-viewer group
Campaign-by-campaign completion rates, overdue trainees, recent completions. KPI tiles show campaign count, fully-complete count, and overdue count.
Personnel Onboarding / Offboarding
Category: HR · Access: Auditor+ role, OR membership in hr-team / service-desk-hr group
Joiner/leaver activity over the period: onboard vs. offboard counts, in-progress vs. complete, and per-event the linked provision/deprovision workflow, access review, and vault recover/purge task. Surfaces offboardings that still have follow-ups open. Driven by the trigger_onboarding / trigger_offboarding actions (UI or MCP), which fan a single join/leave event out across People, TATER Ops workflows, Access Reviews, and Vault.
Vendor & Contract Summary
Category: Vendor · Access: Auditor+ role, OR membership in vendor-viewer / compliance-viewer group
Vendor count by risk rating and by category. The data table is contracts expiring in the next 90 days, sorted by date - useful for "what do we need to renew or renegotiate this quarter?".
Activity Log Trends
Category: Audit · Access: Auditor+ role
Volume of audit log entries broken down by channel (via field - web / copilot / claude / mcp / agent / api / ado-webhook / cron / insights). Top actions and top users for the selected period. Defaults to 30 days. Useful for compliance audits asking "show me everything an AI agent did in October."
Acknowledgement Signature Log
Category: Audit · Access: Auditor+ role, OR membership in audit-viewer / compliance-viewer group
A flat audit-evidence log of every document sign-off - who, what, when, from where (IP), and a snapshot of the attestation text as it stood at signing - exportable for auditors. Period-selectable (default 90 days). Pairs with the Document Reviews module.
Subscription & Licensing
Category: Platform · Access: SuperAdmin only
Per-org seat usage, MRR, license cap, over-limit flag, billing type, renewal date. Used by TATER Security operations team to track licensing across all client tenants.
Group-based access control
Two layers of gating apply to every report:
- Role tier -
Viewer(the default for any authenticated user in the org),Auditor+(for compliance-sensitive reports),Admin+(Admin / OrgAdmin / SuperAdmin), orSuperAdmin-only. - Group membership - for reports with
requiredGroupsset, the user must be in one of those groups (OR be Admin+). Groups are a flexible string array on eachOrgMembershiprecord.
If a user can't run a report, the catalog card shows a 🔒 lock pill and the reason ("Requires Auditor+ role", "Requires group membership (hr-team or compliance-viewer)") - so they know what to ask their admin for.
9 seeded groups
On first access to the Insights Groups page (or by clicking + Seed defaults), TATER creates these standard groups for your org:
| Group key | Display name | Grants access to |
|---|---|---|
service-desk-it | Service Desk - IT | Service Desk reports filtered to IT / Hardware / Software / Network / Endpoint / Workstation categories |
service-desk-hr | Service Desk - HR | Service Desk + Training Compliance, filtered to HR / Onboarding / Off-boarding / Personnel / Access Request |
service-desk-ap | Service Desk - Accounts Payable | Service Desk filtered to AP / Accounts Payable / Finance / Invoicing / Vendor Payment |
service-desk-ar | Service Desk - Accounts Receivable | Service Desk filtered to AR / Accounts Receivable / Billing / Collections |
vendor-viewer | Vendor Management Viewer | Vendor & Contract Summary report |
risk-viewer | Risk Register Viewer | Risk Register reports |
training-admin | Training Admin | Training Compliance report |
compliance-viewer | Compliance Viewer | Compliance Posture, Risk, Training, Vendor reports |
all-reports | All Reports (administrator) | Every non-SuperAdmin report - use sparingly |
Custom groups
Click + New group in Insights Groups to define a custom one. Pick a key (lowercase, letters / digits / hyphens / underscores), a display name, and optionally:
- Ops task categories - list (one per line) of category names from your TATER Ops setup. Users in this group will see Service Desk rows only for these categories.
- Reports - check the boxes for the reports this group should unlock.
- Grants access to all reports - escape hatch for power users. Avoid unless you really mean it.
Assigning users to groups
Groups are stored as a string array on each user's OrgMembership record. To assign someone:
- Go to TATER Manage → Users.
- Pick the user, click Edit.
- In the
groupsfield, enter the group keys (comma-separated): e.g.service-desk-it, vendor-viewer. - Save. The user's access updates on their next sign-in (or within 5 minutes when their membership cache expires).
Exports
Every report has a ⬇ CSV button in the top-right of the report viewer. The download includes whatever columns the report defines. Every report also exports to XLSX and branded PDF, and recurring email delivery is configured under Scheduled Reports.
For BI tools, TATER also exposes the data via the existing Power BI dataset endpoint (GET /api/reports/powerbi) - see API Reference.
Why a separate app instead of more dashboard pages?
Because they serve different jobs.
- Dashboards (overview pages in each app) = quick glance at "is everything OK right now?". They're at the top of the app, they load fast, they prioritize a small number of high-signal tiles. They're tuned for the muscle memory of "open the app, see the state".
- Reports (Insights) = "I need to answer a specific question." Period selection, filters, sorting, drill-down, export. Reports take time to interpret and you don't want them cluttering your at-a-glance view.
Putting both in the same app makes the dashboards heavier and the reports buried. Separating them - and putting cross-app reports in their own home - keeps both surfaces focused.
v2 (shipped 2026-06-05)
- Scheduled email delivery - daily / weekly / monthly / quarterly, recipient list, branded HTML emails via Graph (system email config) with SMTP fallback. Configure in Insights → Scheduled Reports.
- XLSX export - client-side via SheetJS. Two sheets: Report data + Metadata. Works on every report.
- Line trend chart on Compliance Posture - daily pass-rate trend over 30 days.
v2.1 (shipped 2026-06-05) - Custom + PDF + Cross-org
Branded PDF export (Phase C)
Every report viewer now has a primary ⬇ PDF button. The server-side PDF (rendered via pdfkit) is an executive-style layout with your org's logo + accent color in the header, KPI tiles, top chart summaries, the data table (capped at 200 rows - CSV/XLSX for unbounded data), and a footer with page numbers + generated-by-whom. The same PDF format will be attached to scheduled email reports when an admin opts in (v2.2 follow-up).
Custom report builder (Phase A)
Auditor+ users can build their own reports. Insights → Custom Reports → + New custom report:
- Pick a data source - Ops Tasks, Risks, Risk Acceptances, Audits, Vendors, Activity Log, Monitoring Findings, Change Requests, or Exceptions / Waivers. Each source has a locked field schema with type metadata (text / number / date / status).
- Pick your columns - checkbox grid of the source's fields.
- Add filters - field + operator (=, !=, contains, starts-with, >, <, >=, <=, in, is-set, is-not-set) + value. Status / enum fields get a select with the locked option list; text fields get a free-form input. Multiple filters combined with AND.
- Set a period field + days to limit results to the last N days against any date column on the source.
- Set sort + direction + row limit (max 5000).
- Name + describe + pick an icon. Share with whole organization (Admin+ only) makes the report visible to everyone in your org; otherwise it's personal-only.
- Save → opens in the report viewer with the same KPI tiles / table / CSV / XLSX / PDF export as built-ins.
Security: field names come from the source's allowlist (no SQL injection vector - all filter values flow through Cosmos parameters). Per-source role gates re-check at run-time. Personal reports are visible only to their owner (or SuperAdmin). Shared reports require Admin+ to publish.
Cross-org roll-up (Phase B)
If you're in an MSP org (org.isMsp=true) or you're a SuperAdmin, the report viewer shows a Scope chip selector at the top. Pick which orgs to include - your own, your linked client orgs (for MSP), or any org in the tenant (for SuperAdmin). When 2+ orgs are selected, the report runs once per org and merges results with an Organization column prepended.
Works for both built-in and custom reports. CSV + PDF exports include the scope in the filename. Numeric summary KPIs (counts, sums) aggregate across orgs; non-numeric show (multiple) when they diverge.
Coming next
- Scheduled emails attach PDFs - opt-in flag per schedule. Email body shows KPI summary; PDF attachment has the full executive layout.
- More chart types - line trends over time, stacked bars, heat maps for additional reports.
- Custom report drilldown - click a row in a custom report to open the underlying record in TATER Security / Ops / Manage.