Bug 1492993

Summary: [RFE] Central report that will show who can access which systems (attestation)
Product: Red Hat Enterprise Linux 8 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED WONTFIX QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: ---CC: abroy, afarley, cobrown, ldelouw, pasik, patdung100+redhat, pcech, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: FutureFeature, Reopened
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-06 12:26:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kosek 2017-09-19 06:28:10 UTC 
Description of problem:
For compliance reasons, IdM users/administrators want to know what users are allowed to do in their environments so they need to see a report that will show which users can access which systems.
Comment 4 Martin Kosek 2017-09-19 11:28:24 UTC 
Note that the topic of IdM attestation report was split to 3 RFEs:
* Bug 1272214: client-based report (included SSSD)
* Bug 1491802 - [RFE] Central report who can ran which sudo commands on which systems (attestation) (included in IdM Server)
* Bug 1492993 - [RFE] Create a central report that will show who can access which systems (attestation) (included in IdM Server)
Comment 5 Petr Vobornik 2017-10-13 16:34:23 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7199
Comment 6 Fraser Tweedale 2017-10-15 23:59:57 UTC 
It is not clear what is required.

Should the report be arranged:

- by host ("for host X, here are the users that can log in"), or
- by user ("for user A, here are the hosts they can access")

I guess that by host is more likely, i.e. it will be like
bz1272214 but for all hosts in a single report.

Is it sufficient to mention user groups and/or host groups in the report,
or can it only mention individual users and hosts?

What is the desired format of the report?
Comment 8 Rob Crittenden 2019-07-15 19:47:39 UTC 
*** Bug 1728903 has been marked as a duplicate of this bug. ***
Comment 9 Amy Farley 2019-08-16 18:07:32 UTC 
Moving this to RHEL 8, to go with the other attestation work.
Comment 11 Amy Farley 2019-08-16 18:14:09 UTC 
THis should be done with the other attestation work. I put in a wrong update, this should be in RHEL 8 and open.
Comment 12 Abhijit Roy 2019-10-14 17:50:41 UTC 
Hello,

|| What is the desired format of the report?


- It could be in any format not any issue. A simple output in the terminal is also enough I guess.
Comment 14 Petr Čech 2020-08-06 12:26:01 UTC 
Research showed that:
* A server side report is already possible to generate by scripting around LDAP, API, CLI or Ansible interfaces that IdM provides
* The server side report is not that interesting in most cases and a client side report might be more valuable (which is outside of scope of IdM)
* The reporting should be integrated with other ticketing systems and workflows which makes it harder to identify the right functionality that the report should include 

If you are interested in such an integrated report, please contact Red Hat consulting. Red Hat Engineering sees this as a highly custom feature on top of the existing and already available interfaces.

Upstream contributions of the reporting utility or integration with the existing reporting tools are welcome.