An access determination management system obtains information regarding various different entities in a system (e.g., a networked environment) and what rights or privileges those entities have. An entity, also referred to herein as a principal, can be a user, a computing device, a group of users, a group of computing devices, or a service. The rights or privileges that an entity has includes, for example, whether administrative privileges are available to the entity, whether a particular program can be executed, whether an entity is a member of another entity, and so forth. The access determination management system uses the obtained information to generate and display a graph of the environment. The graph of the environment includes the different objects as well as links between the objects that indicate rights or privileges one object has with respect to another.