Security Analysis - What have I gotten myself into?

List Afficionados & N'er Do Wells,
It used to be so easy in the old Xe days.
I'm now in the land of EO8.9 and am handcuffed by the current options I have for analyzing holes in our security.
In the old days I could UTB into the F0093 and see a list of who has access to particular environments.
I also used to be able to goto User Profiles and plug in a group name on the QBE line and see all members of that group.
Thus quoth the Raven, "Nevermore".

I need to see the following:
1. Orphan user accounts (not belonging to any group/role or environment).
2. God list members (who also has god-like rights).
3. Crossover users (A/P as well as A/R and G/L) *sometimes referred to as segregation of duties.

I searched my beloved LIST all day (sorry Boss) only to come up dry.
Right now, I'd trade all of these roles for groups in a New York minute.

The two security reports in EO8.9 are not very helpful at all. I miss my Xe, it was simple but manageable.
Is there anyone out there with the wisdom and fortitude to guide me from this abyss of emptiness?

These seem to be just basic reports based off of some simple SQL joins that any developer should be able to do. You should just need to tell them the exceptions you are looking for (what criteria do you consider a user to be a "God List Member", what roles determine the crossover (role names may need be informative), etc).

This is not a difficult thing to do, just not there out of the box. If you look at it from Denver's view, how are they supposed to write any reports that resemble this? They don't know what you are going to name your roles, if you are using roles, if you apply security to roles or users, etc.

Hey Bob.

The solution we are planning to follow is to essentially keep our groups. We are using a tool called QBuild that makes it much easier to manage, but we will be converting our current groups into roles. Users will be assigned to a "role" with all of the same security their old "group" had. We don't use task variants, just the OneWorld Menus task view with a default deny application security setting. No switching between roles. We lose a little flexibility, but the added stuff ain't worth the pain in my opinion.

Thanks guys,
I spent some time with the DBA and he hooked me up with the ability to pull tables into Excel after doing some selective queries.
I will be able to save these "Excel Queries" so even a Manager could run them.