[Freeipa-devel] Exporting users "access formulars"
Tomas Babej
tbabej at redhat.com
Wed Aug 5 10:53:08 UTC 2015
On 08/04/2015 03:13 PM, Florian Crouzat wrote:
> Hey,
>
> For security reason (mostly PCI-DSS) I have to print and sign-off access
> formular for every users, and also to maintain these formulars in time
> which means that every time I add a host to a hostgroup for example, I
> should reprint all access formulars for users with access to this
> hostgroup...
>
> I was wondering if it was possible to develop a feature that would allow
> one to select a user(s) from GUI and generate a csv/pdf/whatever file
> with all direct and indirect memberships/access for HBAC, groups and
> sudo-rule for the selected user(s).
>
> Maybe a first step would be to script something around ipa CLI commands
> (not sure if possible to dig into HBAC and groups from CLI though).
>
> What are your thoughts on such need, am I the only one wanting to export
> my users privileges directly from the software managing these privileges ?
>
> Regards,
> Florian
>
I'd recommend building a script to generate such a report, I'm not
really sure it's a feature that would fit directly into the core at this
state.
You can access IPA's API directly using Python, which can be leveraged
to generate a report using a suitable Python library, such as reportlab.
Using the API you will get access to all the information available to
you via the ipa command line tool.
Examples of using Python API are available on the net, for example
here's one user's submission which landed on the list some time ago:
https://github.com/firemanxbr/freeipa-tools/blob/master/freeipa.py
API can be easily inspected in 4.2 using our new API browser:
https://fedorahosted.org/freeipa/ticket/3129
If you're on a older release, adding -vv flag to any ipa command will do
the job as well.
HTH,
Tomas
More information about the Freeipa-devel
mailing list