RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1491802 - [RFE] Central report who can ran which sudo commands on which systems (attestation)
Summary: [RFE] Central report who can ran which sudo commands on which systems (attest...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: ---
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 8.0
Assignee: Thomas Woerner
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-14 17:51 UTC by aheverle
Modified: 2024-02-04 04:25 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-08-06 12:24:48 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-10333 0 None None None 2023-09-07 18:58:43 UTC
Red Hat Issue Tracker RHELPLAN-34532 0 None None None 2023-09-07 18:58:40 UTC

Description aheverle 2017-09-14 17:51:20 UTC 
As an administrator I want to have a way to generate a report that will show which users can execute which commands on which systems. It can be sliced in couple different ways:
- Per user/group, i.e. user/group on this system or group of systems can run these commands and on these systems those commands. In other words the break down is: user/group; host/host/group; commands
- Per host/hast group i.e host/host/group; user/group; commands

Also it might make sense to do it by command but this should be a part of the design and reviewed with administrators on the freeipa-users list. They should provide more feedback which might change initial assumptions spelled out in this ticket.
Comment 4 Martin Kosek 2017-09-19 11:25:20 UTC 
This is the user story that is currently proposed for this work - validation welcome!


As an administrator I want to have a way to generate a report that will show which users can execute which commands on which systems. It can be sliced in couple different ways:
- Per user/group, i.e. user/group on this system or group of systems can run these commands and on these systems those commands. In other words the break down is: user/group; host/hostgroup; commands
- Per host/host group i.e: host/host group; user/group; commands
Comment 5 Martin Kosek 2017-09-19 11:28:26 UTC 
Note that the topic of IdM attestation report was split to 3 RFEs:
* Bug 1272214: client-based report (included SSSD)
* Bug 1491802 - [RFE] Central report who can ran which sudo commands on which systems (attestation) (included in IdM Server)
* Bug 1492993 - [RFE] Create a central report that will show who can access which systems (attestation) (included in IdM Server)
Comment 6 Petr Vobornik 2017-09-22 17:52:43 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7166
Comment 10 Petr Čech 2020-08-06 12:24:48 UTC 
Research showed that:
A server side report is already possible to generate by scripting around LDAP, API, CLI or Ansible interfaces that IdM provides
The server side report is not that interesting in most cases and a client side report might be more valuable (which is outside of scope of IdM)
The reporting should be integrated with other ticketing systems and workflows which makes it harder to identify the right functionality that the report should include 
If you are interested in such an integrated report, please contact Red Hat consulting. Red Hat Engineering sees this as a highly custom feature on top of the existing and already available interfaces.
Upstream contributions of the reporting utility or integration with the existing reporting tools are welcome.
Comment 11 Red Hat Bugzilla 2024-02-04 04:25:07 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.