User Explorer in GA4: Exploring the Basics

Web analytics are incredibly powerful: they can reveal stunning amounts of information about your audience, its behavior, how effective your digital properties are, and ultimately how well your digital marketing strategies are achieving their intended goals.

But getting the most out of your website and application analytics isn’t easy. And if you’re new to the world of analytics, the learning curve can be steep. It’s easy to feel like you’re drowning in data but still coming up short on insights.

Google Analytics is a large part of most organizations’ analytics strategies. Google recently killed off its previous generation of analytics tools, called Universal Analytics (UA), pushing all users to the new standard, Google Analytics 4 (GA4).

Now that GA4 is the only game in town, all businesses who rely on analytics to understand website traffic, performance, and user behavior need to know the differences and learn how to adapt to the way GA4 operates.

Let’s get started with some basic definitions.

What is the GA4 User Explorer tool?

One big piece of analytics is understanding user behavior in the aggregate: what are the ways that most people interact with a website?

Another equally valuable analytics element is understanding specific user behavior: how are particular users interacting with the website?

(Of course, privacy laws restrict businesses from, say, recording an entire user session and tying it to a specific person, but there are compliant ways to glean information on specific users without identifying who those users are.)

GA4 User Explorer helps you navigate both of these elements and is especially effective at the individual user level. The tool and its reports fully anonymize user data without aggregating that data first, so you retain the full picture of what user did on your website. That data is tied to a client ID that is not itself tied to a specific, identifiable person. Those client IDs are also aggregated, allowing you to analyze information across an entire group of users that match certain characteristics.

What can the GA4 User Explorer report do for a business?

GA4 User Explorer reports can clarify the user journey, both with specific (anonymized) users and in the aggregate (analyzing user behavior as a group or multiple groups). And it does so at a level of specificity that blows away previous models.

What might that look like in execution? Here are a few ways businesses are turning User Explorer reports into insights and action.

UI/UX troubleshooting

You can test, retest, and test some more, but when your new website or page or app or online store goes live, users will find new and exciting ways to break what you built (or at least find the weakest points and get stuck on them).

With GA4’s User Explorer reports, you can examine user actions to identify how they get stuck, where they encounter errors, what they do afterward, and more. If the issue you’re troubleshooting often results in the same action, you may also be able to look at this data in the aggregate by pooling all users who have taken that action.

Conversion optimization

Conversion optimization is an entire discipline or specialty requiring tools and knowledge outside of Google Analytics. Still, the ability to analyze specific user behavior (say, during an A/B test) can help you narrow down your options and optimize your properties faster according to which elements performed better.

Retention and retargeting

Identifying specific patterns of actions can help you with both customer retention and audience retargeting. Of course, you can’t tie GA4 user reports to specific users. But you can figure out when and why customers purchase, then adjust your marketing efforts accordingly. You may also identify audience attributes for the types of users that abandon their carts or otherwise fall off, then retarget those general audiences.

What are the biggest changes, advantages, and limitations?

GA4 delivers a ton of power and capability, but there are downsides as well. If you already have some experience using UA’s User Explorer, then the easiest approach is to compare the two. Here are the biggest differences you’ll find in GA4’s User Explorer, both positive and negative.

Advantages

One big advantage is tied to the change in structure between the two systems. GA4 looks at users across devices: it has the ability to identify that visits from User X’s smartphone browser, mobile app, and desktop browser are all in fact from User X.

This is a huge benefit: what might look like a lost user could actually be that same user moving to their desktop to complete a transaction. What looks like a single desktop visit with no repeat traffic could in fact be a user who left your website to download your app and now uses your service consistently.

In UA, you didn’t have an effective way to know. But in GA4, you do.

Limitations

The biggest limitation is ease of use.

If you read our article on GA4 pros and cons, you probably picked up on a theme: GA4 is more powerful, but it’s also more complicated — even to the degree that it makes things that were simple in UA harder to do. That’s the case here as well, as many users discover they can’t (immediately) identify some elements that feel like basic ones, like which page was opened or which link was clicked.

Of course, you can still do click tracking but not until you manually enable enhanced measurement and take several other actions.

So GA4 comes with a learning curve, and many elements won’t “just work” if they’re still set up the way that made sense in UA. There may also be a heavier resource requirement to operating with GA4 because of all that added capability and complexity.

There’s also a pretty big limitation to user reports: you’re limited to two dimensions. Given the sheer number of options and possible data points in GA4, you might find it frustrating that you can only surface two in any specific user explorer report.

How to access User Explorer in GA4

User Explorer is a powerful feature area, but it isn’t exactly obvious where to find it.

Start by navigating to the Explorations tab on the left (Explore / an arrow in a magnifying glass). Then all the way over on the right-hand side, click Template Gallery.

This template gallery contains numerous exploration reports, called Techniques. One of these is the User Explorer. (The others are worth exploring, too, but we won’t review them for this article.)

Front and center you’ll find users’ Effective user IDs, which are the identifiers GA4 uses to link together various sessions and devices all connected to a single user. You can change the Effective user ID in your settings as well. You may see other default metrics like event count and sessions. In this view you can start applying filters and segmenting your audience, though you might want to wait until the next section to do this.

If it’s your first time in User Explorer, the default view may be a bit underwhelming until you customize it. So let’s do that next!

Customizing your User Explorer reports

User Explorer gives you plenty of options for customizing your reports. These work differently for aggregate vs. individual reports.

All users

When running User Explorer reports on aggregate audiences, it’s possible to segment your audience using both the Settings and Variables columns in the tool. There are more than 150 metrics available, giving you tons of flexibility here.

Where you don’t get flexibility is in the maximum number of dimensions applied. This is locked at two, unfortunately: Effective user ID and Stream name.

When you toggle on variables in the Variables column, you can then find those under the Settings column, allowing you to add those segments to your report. Here you can also specify the start row and how many total rows you want to see.

User Explorer reports can be viewed several different ways:

  • Bar chart
  • Plain text
  • Heat map

You’ll also find more levels of filtering in the settings bar, allowing you to narrow down results to certain device types, for example.

Note that your results and metrics will not match those from UA. Parameters and ways of calculating and categorizing have all changed, sometimes in significant ways. So comparing old UA metrics to your current GA4 metrics is like comparing apples and oranges. You shouldn’t assume a one-to-one correlation.

Individual users

GA4 also allows you to explore individual users by clicking on their effective user ID (which you’ll see in the all users report). Clicking this will bring up information about their first visit to your property, where they’re located, and their data stream.

Many vital metrics are automatically displayed, including:

  • Top events (views, engagements, sessions, errors, etc.)
  • Event count
  • Purchase revenue
  • Number of transactions
  • Time spent (engagement)

Down below you can expand or collapse individual sessions to see which actions occurred in which sessions. Within these, you’ll see specific event names and which audiences the user qualifies for based on their actions.

You can also use filters to narrow down to specific events you want to see, and from there you can create segments (the button should be in the top right) based on selected events.

You also have the ability to delete individual user entries. This could be helpful if you want to remove testing data or edge cases you’ve already solved, for example.

Dive Deeper into Advanced Analytics with Pumex

GA4 unlocks new levels of analytics compared to Google’s own previous set of tools. But as your business grows, you may encounter the need to go even deeper than what GA4 allows.

That’s where we can help.

Pumex is the experienced voice and partner you need for solving software development and technology integration problems at any scale. We’ll help you maximize your analytics and business intelligence results so you can grow conversions, improve decision making, and maximize revenue. 

What is Dev Sec Ops?

As the world of Cybersecurity starts to become more complex and dynamic to levels never seen before, there is now paramount pressure that is placed upon the IT Security teams across Corporate America to increase their vigilance. It is not just from the standpoint of thwarting off the bad guys that are trying to break in, but it is also trying to predict what future variants could potentially look like down the horizon, so that lines of defenses can be beefed up accordingly.

But now, everybody has a stake in this proposition – all the way from the C-Suite to the administrative assistant. There was one group that has stayed relatively immune from falling under the microscopic eyes of Cybersecurity, but this is now no longer the case.

This group is the software development teams. Since folks started developing software their job has been to develop and compile the source code for the Web application that they have been tasked to create, and ship it off to the customer, under budget and on time.

Because of this, implementing security testing solutions has long been an issue which has remain largely ignored. As a result, Cyber-attackers are finding ways to covertly sneak into the backdoors that are left behind, and stay in for extended periods of time, very often going unnoticed.

Then once they feel comfortable in the environment they have infiltrated, they move in a lateral fashion, deploying malicious payloads along the way which even the traditional antivirus and antimalware packages cannot capture.

Or they could start a data exfiltration process, in which small bits of the PII (Personally Identifying Information) datasets are slowly extracted, once again going unnoticed. Because of recent attacks (most notably that of the Solar Winds hack), software developers are now feeling the heat to make sure that the source code they compile is secure in every aspect possible.

Thus, this is where the acronym “DevSecOps” is starting to come into play. It stands for “Development, Security, & Operations.” The primary goal of this is to introduce and deploy automated security mechanisms into the entire lifecycle of the software development process.

If security was ever a concern in the past, it was done at the very end, in a very haphazard fashion. One of the primary goals of DevSecOps is to introduce it at every level of development, so that each software module is thoroughly tested before moving onto the next one. Thus, the cascading effect of un-remediated vulnerabilities and gaps is greatly mitigated.

Another key strength of DevSecOps is that it integrates not only the software development teams, but also the IT Security and Operations teams as well into one cohesive unit. This brings an extra set of eyes to help make sure that the nothing in the security process gets overlooked.

In other words, the siloed approach is now fully eradicated, and it has now become a shared responsibility, which leads credence to the DevSecOps motto: “Software, Sooner, Safer.”

This allows for robust and secure code to be delivered without slowing down the software development cycle. Put another way: “DevSecOps helps enterprises to innovate securely at speed and scale.

 

How To Implement Security into DevSecOps

 

It is important to note that implementing a Cybersecurity mindset into your software development process is not something that can be deployed anywhere at any time. It must start early on, preferably even before the application project has even started.

But most importantly, this kind of thinking must be adopted by all the departments in your business. It is not just the IT Security team that has to believe in this framework, every employee must, because everybody has a key stake in keeping your business safe and secure.

But as it relates to DevSecOps, this proactive mindset must be formally acknowledged and embraced in the planning stages of the software development cycle. From there, it then transcends in a lateral fashion until the coding is all done, and the project is ready to hand off to the client. For purposes of this article, a hypothetical software development process can be represented as follows:

 

  1. Planning
  2. Defining the Requirements
  3. Designing & Prototyping
  4. Development
  5. Testing
  6. Deployment

 

The above can formally be called the “Secure Software Development Lifecycle,” or “S-SDLC” for short. Each step is reviewed as follows:

 

Planning

 

In this step, you have been assigned a project, and are in the process of assembling your software development together. This phase of the S-SDLC can be viewed as a macro one, as you are taking a holistic view of the kind of application that will be required and defining the overall objectives of what needs to get done.

But most importantly, you are acknowledging the fact that security is going to be a top issue here, and you are laying down the foundations as to how the system of checks and controls will evolve. But also, you are also figuring the roles that the Operations and IT Security team will play in the S-SDLC.

 

Defining the Requirements

 

Obviously in this phase, you are formally defining the needs and wants of the client in the project and mapping out the various software modules that will be needed to meet this objective. But also remember that this is the key stage in which you will formally address the types of security issues that you think could evolve as the development process evolves. It is particularly important that you take your time in this crucial phase, and this is one of the biggest areas in which you will need to involve the IT Security and Ops teams for their input.

This can also be referred to as the security forecasting stage. There will be issues of course that will come up of which your teams did not anticipate here. The goal here is to map out every what-if scenario that you can, so that any items of concern can be addressed quickly and efficiently. To help you in this process, there are various methodologies that are available, and the one that is most widely used is the Open Web Application Security Project, also known as “OWASP.” As its name implies, this is an open-source platform in which the public can get access to the latest Cyber threat variants that are out there, and which are also ranked according to their degree of severity.

The bottom line is that before you can move forward, all the teams must come to a common consensus of the potential vulnerabilities and threats that they need to be on the lookout for as the source code is being developed and compiled.

 

Design & Prototype

 

It at this phase that you will start to implement the security controls into the various software modules, paying attention to these top three design philosophies:

 

1) The Principle of Least Privilege:

This is the minimum rights, privileges, and permissions are established. In other words, end users will gain access to whatever they need to perform their daily job tasks, and nothing more than that. It is important that the source code be flexible and dynamic in this regard, as roles and titles do change among employees.

 

2) The Principle of Separation of Duties:

With this concept, you are never giving away total, 100% control to just any one employee. Rather, it takes a few individuals to complete one large task, in a sequential fashion, based upon the rights, permissions, and privileges that they have granted. The source code that is being developed needs to have this kind of functionality implemented.

 

3) The Principle of Minimizing the Attack Surface Area:

This simply means that that the source code which is being designed is clean and robust in nature, and most importantly it is not bloated in nature. For example, software developers like to use APIs (Application Programming Interfaces) to keep up with the timelines that have been established in the Planning phase. But there can become an over-dependence on using more APIs than are necessary in this regard, which will make the overall application larger than what is necessary. What this translates into is that the Cyber-attacker now has a much larger attack surface to penetrate to spread their malicious payloads. But by having the source as “lean and mean” as possible, the attack surface greatly reduces in proportion.

 

Development

 

As its name implies, this is the part of the S-SDLC in which the actual source code is compiled. The actual development process does not occur in just one huge chunk, but rather, it is done at the modular level, which was pre-established back in the Planning phase. As technology is rapid advancing at a rapid pace, so are the tools which are used to create the source code. In this regard, automation has become important, not only to keep the project moving along, but also to reduce the number of errors that could occur.

Automation can replace many of the mundane and repetitive tasks that are involved, even when it comes to the security perspective. Some examples of this include the following:

 

  • Continuous Integration: This is where the software developers submit each iteration of the source code that they have worked on into a central server and is combined into one unit. It is not just a one-time deal, it can occur several times a day, depending upon the scope and magnitude of the development project. From here, automated builds and testing can then take place, to track down any errors and vulnerabilities that exist in a very quick manner.
 
  • Automated Security Testing: This is where Penetration Testing comes into play. With this, the primary objective is to find and locate any hard-to-find gaps and remediate them quickly. There are many tools out there that can do this, such as Kali Linux or GitLab.
 
  • Secure Code Repositories: This is especially useful for the storing of API Libraries, as reviewed earlier. Here, automated testing tools can double check that any APIs to be used in the S-SDLC are free from any bugs and are updated with the latest patches and upgrades.

 

Testing

 

To ensure the greatest level security in a software development project, each software module should be tested thoroughly tested, both from the standpoint of Penetration Testing and Threat Hunting. However, this does not each module should be tested one at a time. This would simply take too much time to accomplish. Rather, the automated tools as described in the last subsection can be used to test these modules simultaneously, or in parallel. In the world of DevSecOps, this is technically known as “shifting left,” because you are starting the testing process at the very beginning stages, rather than waiting until the end.

This is illustrated in the diagram below:

(Source: https://www.testim.io/blog/shift-left-testing/)

 

Deployment

 

This phase where the hand-off of the project to client actually occurs. In an ideal setting, the client should also test their new Web application for any weaknesses or backdoors that could have still been overlooked in the S-SDLC phases. But many times, they will not, because they simply assume all is good and fine. Therefore, a critical aspect of DevSecOps is to conduct one last Penetration Test before the application is released into the production environment. There really is no need to involve any Blue or Purple teams at this stage, simply the Red Team will suffice. Of course, anything out of the ordinary should be fixed on the spot.

 

Conclusions

 

Overall, this article has examined what DevSecOps is from a holistic point of view. But keep in mind, as it was reviewed before, there are three distinct groups involved, which to summarize are as follows:

The goal here is to bring in all the assets of these three groups so they work in one harmonious fashion to further enhance the overall Cyber posture of your organization. This in turn will lay the groundwork for creating the mindset security is everybody’s concern, all the way from the C-Suite down to the overnight cleaning crew.

There are many other aspects of DevSecOps, one of which is compliance control implementation. This will be examined in a future article.

Pumex Receives Award

Pumex Receives Award for One of Most Recognized Software Development Companies in Washington DC

 

At Pumex Computing, LLC, we provide our clients with the development solutions they need to build customized, process-driven, and end-to-end software solutions. We value our customers’ needs and prioritize the delivery of cost-effective and scalable solutions for their maximum benefit. Today, we’re happy to announce that we were recently recognized among the most reviewed developers on The Manifest!

 

 For context, let’s revisit the beginning moments of Pumex Computing, LLC:
 

In 2015 


Our founders saw an opportunity to share their expertise and bring core values that the software development space was lacking. Antony Marceles, our CEO, and Christopher Scirpoli, our President, work together to fuse the mastery of their respective fields to bring better, more affordable, and scalable software solutions to our clients. Since then, we’ve always put an emphasis on strong communication and collaboration to craft high-quality products for our partners
 

In 2020 

A nonprofit organization engaged with us for a custom software development project. The purpose of our collaboration was to build a new networking portal that the client labeled as a “community connector” to improve networking efficiency during the pandemic. We developed the product using Salesforce and delivered the final build in June 2021. Upon launch, the client saw a 30% increase in user logins to utilize the new feature sets of the portal.
 

“Their involvement by leadership, consistent, thorough communications and the quality of development set Pumex apart.”
 

— Senior Director, Nonprofit Organization 

 

In 2022

The Manifest releases its newest lists of top companies, and we’re proud to be named among the most reviewed software developers in Washington DC! We would like to thank all of our partners, especially those who left their honest feedback about our work!
 

Build distinctive yet functional digital products today. Get in touch and schedule a free consultation with us today!