[Freeipa-devel] Exporting users "access formulars"

Martin Kosek mkosek at redhat.com
Wed Aug 5 12:32:37 UTC 2015 

On 08/05/2015 12:53 PM, Tomas Babej wrote:
> 
> 
> On 08/04/2015 03:13 PM, Florian Crouzat wrote:
>> Hey,
>>
>> For security reason (mostly PCI-DSS) I have to print and sign-off access
>> formular for every users, and also to maintain these formulars in time
>> which means that every time I add a host to a hostgroup for example, I
>> should reprint all access formulars for users with access to this
>> hostgroup...
>>
>> I was wondering if it was possible to develop a feature that would allow
>> one to select a user(s) from GUI and generate a csv/pdf/whatever file
>> with all direct and indirect memberships/access for HBAC, groups and
>> sudo-rule for the selected user(s).
>>
>> Maybe a first step would be to script something around ipa CLI commands
>> (not sure if possible to dig into HBAC and groups from CLI though).
>>
>> What are your thoughts on such need, am I the only one wanting to export
>> my users privileges directly from the software managing these privileges ?
>>
>> Regards,
>> Florian
>>
> 
> I'd recommend building a script to generate such a report, I'm not
> really sure it's a feature that would fit directly into the core at this
> state.
> 
> You can access IPA's API directly using Python, which can be leveraged
> to generate a report using a suitable Python library, such as reportlab.
> 
> Using the API you will get access to all the information available to
> you via the ipa command line tool.
> 
> Examples of using Python API are available on the net, for example
> here's one user's submission which landed on the list some time ago:
> 
> https://github.com/firemanxbr/freeipa-tools/blob/master/freeipa.py
> 
> API can be easily inspected in 4.2 using our new API browser:
> 
> https://fedorahosted.org/freeipa/ticket/3129
> 
> If you're on a older release, adding -vv flag to any ipa command will do
> the job as well.
> 
> HTH,
> 
> Tomas
> 

"ipa user-show USER --all" should show user and all group memberships,
including special roles or permission in the RBAC.

I am not sure about finding respective HBAC or SUDO rules, hbac-find or
sudorule-find does not offer searching by user. I am afraid that for current
versions, raw "ldapsearch" would need to be used.

More information about the Freeipa-devel mailing list