#2840 [RFE] Produce access control attestation report for IPA domains
Closed: Fixed 6 years ago Opened 8 years ago by dpal.

Use case:

As an owner of a system I need to know which users have access to a host. I want to run something on the host and get a report who can access it.
The reports must contain information about HBAC but does a SUDO report would also be beneficial. This would allow me to pass audits and make sure that right people have right access to systems and applications.

Idea:
Create a utility that would trigger one time enumeration, populate caches and run a report against the cache. That would actually solve do two problems:
a. Priming of the cache with the full database
b. Actually creating a report based on the cached data

We see several inquiries about this capability in recent days.


For now, I'll file the ticket into 1.15, since it hasn't been requested for the next release.

If it is requested, we will move it back up.

milestone: NEEDS_TRIAGE => SSSD 1.15 beta

Metadata Update from @dpal:
- Issue set to the milestone: SSSD Future releases (no date set yet)

7 years ago

Some more details based on a discussion in a RHBZ (private, sorry)
- it was suggested to output the result in CSV along the lines of name:object_type:service
- machine-parseable output would make it easy to consume the data with an ansible module
- an ansible module should be developed to gather the data from the output. Where to track this module is not clear, we need to find who would be working on the IDM/AD ansible integration
- same as above applies to sudo

Metadata Update from @jhrozek:
- Custom field design_review reset (from 0)
- Custom field mark reset (from 0)
- Custom field patch reset (from 0)
- Custom field review reset (from 0)
- Custom field sensitive reset (from 0)
- Custom field testsupdated reset (from 0)
- Issue close_status updated to: None

6 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue set to the milestone: SSSD 1.16.0 (was: SSSD Future releases (no date set yet))

6 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue tagged with: RFE

6 years ago

Since we are required to release a new upstream tarball no later than Friday Oct-20, I'm moving tickets that will not be closed by that date to the next milestone, 1.16.1

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue set to the milestone: SSSD 1.16.1 (was: SSSD 1.16.0)

6 years ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek

6 years ago

I updated the ticket title to make it clear that the scope of the work for now is only IPA domains.

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)

6 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue tagged with: PR

6 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)

6 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3881

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata