On 08/05/2015 12:53 PM, Tomas Babej wrote:
> On 08/04/2015 03:13 PM, Florian Crouzat wrote:
>> For security reason (mostly PCI-DSS) I have to print and sign-off access
>> formular for every users, and also to maintain these formulars in time
>> which means that every time I add a host to a hostgroup for example, I
>> should reprint all access formulars for users with access to this
>> I was wondering if it was possible to develop a feature that would allow
>> one to select a user(s) from GUI and generate a csv/pdf/whatever file
>> with all direct and indirect memberships/access for HBAC, groups and
>> sudo-rule for the selected user(s).
>> Maybe a first step would be to script something around ipa CLI commands
>> (not sure if possible to dig into HBAC and groups from CLI though).
>> What are your thoughts on such need, am I the only one wanting to export
>> my users privileges directly from the software managing these privileges ?
> I'd recommend building a script to generate such a report, I'm not
> really sure it's a feature that would fit directly into the core at this
> You can access IPA's API directly using Python, which can be leveraged
> to generate a report using a suitable Python library, such as reportlab.
> Using the API you will get access to all the information available to
> you via the ipa command line tool.
> Examples of using Python API are available on the net, for example
> here's one user's submission which landed on the list some time ago:
> API can be easily inspected in 4.2 using our new API browser:
> If you're on a older release, adding -vv flag to any ipa command will do
> the job as well.
"ipa user-show USER --all" should show user and all group memberships,
including special roles or permission in the RBAC.
I am not sure about finding respective HBAC or SUDO rules, hbac-find or
sudorule-find does not offer searching by user. I am afraid that for current
versions, raw "ldapsearch" would need to be used.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code