The dependencies recorded under SCM control propagate hierarchically in a transitive way. I.e. depending upon a given derived object, one depends upon its dependencies. This builds up graphs which can be navigated with tools.
Provided the dependencies have been audited properly, it is trivial to check which version of a resource has been accessed. Conversely, by applying labels to the leafmost derived objects, it becomes trivial to identify the users of any given resource: the resource bears their label. "Proper auditing" means here sufficient auditing to ensure reproducibility, which is again trivial to check.
Building up and automatically maintaining dependency matrices e.g. in the web through CGI scripts is thus conceivable and easy (it is easier with some conventions concerning the labeling).