On 08/05/2015 12:53 PM, Tomas Babej wrote: > > > On 08/04/2015 03:13 PM, Florian Crouzat wrote: >> Hey, >> >> For security reason (mostly PCI-DSS) I have to print and sign-off access >> formular for every users, and also to maintain these formulars in time >> which means that every time I add a host to a hostgroup for example, I >> should reprint all access formulars for users with access to this >> hostgroup... >> >> I was wondering if it was possible to develop a feature that would allow >> one to select a user(s) from GUI and generate a csv/pdf/whatever file >> with all direct and indirect memberships/access for HBAC, groups and >> sudo-rule for the selected user(s). >> >> Maybe a first step would be to script something around ipa CLI commands >> (not sure if possible to dig into HBAC and groups from CLI though). >> >> What are your thoughts on such need, am I the only one wanting to export >> my users privileges directly from the software managing these privileges ? >> >> Regards, >> Florian >> > > I'd recommend building a script to generate such a report, I'm not > really sure it's a feature that would fit directly into the core at this > state. > > You can access IPA's API directly using Python, which can be leveraged > to generate a report using a suitable Python library, such as reportlab. > > Using the API you will get access to all the information available to > you via the ipa command line tool. > > Examples of using Python API are available on the net, for example > here's one user's submission which landed on the list some time ago: > > https://github.com/firemanxbr/freeipa-tools/blob/master/freeipa.py > > API can be easily inspected in 4.2 using our new API browser: > > https://fedorahosted.org/freeipa/ticket/3129 > > If you're on a older release, adding -vv flag to any ipa command will do > the job as well. > > HTH, > > Tomas >
"ipa user-show USER --all" should show user and all group memberships, including special roles or permission in the RBAC. I am not sure about finding respective HBAC or SUDO rules, hbac-find or sudorule-find does not offer searching by user. I am afraid that for current versions, raw "ldapsearch" would need to be used. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
