RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1492993 - [RFE] Central report that will show who can access which systems (attestation)
Summary: [RFE] Central report that will show who can access which systems (attestation)
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: ---
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Thomas Woerner
QA Contact: ipa-qe
URL:
Whiteboard:
: 1728903 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-19 06:28 UTC by Martin Kosek
Modified: 2023-12-15 15:58 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-08-06 12:26:01 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-10334 0 None None None 2023-09-07 19:01:42 UTC
Red Hat Issue Tracker RHELPLAN-34224 0 None None None 2023-09-07 19:01:36 UTC

Description Martin Kosek 2017-09-19 06:28:10 UTC 
Description of problem:
For compliance reasons, IdM users/administrators want to know what users are allowed to do in their environments so they need to see a report that will show which users can access which systems.
Comment 4 Martin Kosek 2017-09-19 11:28:24 UTC 
Note that the topic of IdM attestation report was split to 3 RFEs:
* Bug 1272214: client-based report (included SSSD)
* Bug 1491802 - [RFE] Central report who can ran which sudo commands on which systems (attestation) (included in IdM Server)
* Bug 1492993 - [RFE] Create a central report that will show who can access which systems (attestation) (included in IdM Server)
Comment 5 Petr Vobornik 2017-10-13 16:34:23 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7199
Comment 6 Fraser Tweedale 2017-10-15 23:59:57 UTC 
It is not clear what is required.

Should the report be arranged:

- by host ("for host X, here are the users that can log in"), or
- by user ("for user A, here are the hosts they can access")

I guess that by host is more likely, i.e. it will be like
bz1272214 but for all hosts in a single report.

Is it sufficient to mention user groups and/or host groups in the report,
or can it only mention individual users and hosts?

What is the desired format of the report?
Comment 8 Rob Crittenden 2019-07-15 19:47:39 UTC 
*** Bug 1728903 has been marked as a duplicate of this bug. ***
Comment 9 Amy Farley 2019-08-16 18:07:32 UTC 
Moving this to RHEL 8, to go with the other attestation work.
Comment 11 Amy Farley 2019-08-16 18:14:09 UTC 
THis should be done with the other attestation work. I put in a wrong update, this should be in RHEL 8 and open.
Comment 12 Abhijit Roy 2019-10-14 17:50:41 UTC 
Hello,

|| What is the desired format of the report?


- It could be in any format not any issue. A simple output in the terminal is also enough I guess.
Comment 14 Petr Čech 2020-08-06 12:26:01 UTC 
Research showed that:
* A server side report is already possible to generate by scripting around LDAP, API, CLI or Ansible interfaces that IdM provides
* The server side report is not that interesting in most cases and a client side report might be more valuable (which is outside of scope of IdM)
* The reporting should be integrated with other ticketing systems and workflows which makes it harder to identify the right functionality that the report should include 

If you are interested in such an integrated report, please contact Red Hat consulting. Red Hat Engineering sees this as a highly custom feature on top of the existing and already available interfaces.

Upstream contributions of the reporting utility or integration with the existing reporting tools are welcome.
Note You need to log in before you can comment on or make changes to this bug.