The screenshot below shows an example of an endpoint document for a user:

At the top of the document, you can see:


The first tab on the bottom part of the document shows all the databases that the user has access to on this server, along with:

The database names and group names are hyperlinks, so you can click on them to get more information about the specific databases or groups in the list.


The second tab shows all the groups the user is in, and all the ways they are members of those groups:

In this example, you can see there are five different ways that they are members of the Administrator Group:

It also shows what kind of group access they have: security, mail, or both. Security groups are used for ACL access to databases, and mail groups are used for sending email to the group.

Group membership can be tricky. In the example above, if you just remove the user from the Database Administrators group, they will still be members of the Administrator Group through membership in other subgroups. In fact, if you remove them directly from the Database Administrators group, they will still be members of that group because they are members of the Security Administrators group, which is a subgroup of Database Administrators.

Without endpoint processing, it's very hard to see the web of relationships that are involved with group membership and, ultimately, database access.