On 08/04/2015 03:13 PM, Florian Crouzat wrote: > Hey, > > For security reason (mostly PCI-DSS) I have to print and sign-off access > formular for every users, and also to maintain these formulars in time > which means that every time I add a host to a hostgroup for example, I > should reprint all access formulars for users with access to this > hostgroup... > > I was wondering if it was possible to develop a feature that would allow > one to select a user(s) from GUI and generate a csv/pdf/whatever file > with all direct and indirect memberships/access for HBAC, groups and > sudo-rule for the selected user(s). > > Maybe a first step would be to script something around ipa CLI commands > (not sure if possible to dig into HBAC and groups from CLI though). > > What are your thoughts on such need, am I the only one wanting to export > my users privileges directly from the software managing these privileges ? > > Regards, > Florian >
I'd recommend building a script to generate such a report, I'm not really sure it's a feature that would fit directly into the core at this state. You can access IPA's API directly using Python, which can be leveraged to generate a report using a suitable Python library, such as reportlab. Using the API you will get access to all the information available to you via the ipa command line tool. Examples of using Python API are available on the net, for example here's one user's submission which landed on the list some time ago: https://github.com/firemanxbr/freeipa-tools/blob/master/freeipa.py API can be easily inspected in 4.2 using our new API browser: https://fedorahosted.org/freeipa/ticket/3129 If you're on a older release, adding -vv flag to any ipa command will do the job as well. HTH, Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code