Getting a list of users including admin details, from either browser or CLI

rlarranaga
rlarranaga
Community Member
in Business and Teams

Hello:
I am looking to get monthly list of details from my 1password account.
I am basically after a list of users with their status and privilege level. The export i get from the browser does not show admin access for users, and i have been playing around with the CLI, but i haven't found a way to list the groups a users is part of.
Would you be able to help me out?
Thanks.
Regards

1Password Version: 7.4.763
Extension Version: Not Provided
OS Version: Windows 10 1909
Sync Type: Not Provided

Comments

  • Ben
    Ben

    Hi @rlarranaga

    Other than looking at the my.1password.com > People > [Person] page for each person, as far as I'm aware, there isn't a native way to do this. The best I think we can offer at this point is some scripting around the CLI. There is probably a more efficient way to do this... but here is what I was able to come up with:

    for currentGroup in $(op list groups | jq -r '.[] | .uuid'); do
    op get group $currentGroup | jq -r '.name'
    echo "============"
    op list users --group=$currentGroup | jq -r '.[] | .name'
    echo
done

    This will list the members of each of your groups in the format:

    Group
============
Member 1
Member 2
Member 3

    etc. I believe you're asking for a way to do this by user (instead of by group). I suspect someone with a stronger scripting background than I could build a script that would build an array for each person, such that every time a user's name is found in a group that group would be added to the array for that user. Then you'd echo out the array for each user.

    Does that help? Please let me know.

    Ben

  • Ben
    Ben

    After tinkering a fair bit further I found a way to do this, though it is wildly inefficient and will take quite a while to run even with a small team / small number of groups. It could almost certainly be done more efficiently using a different scripting/programming language, but I think this is about the best that can be hoped for from bash:

    for user in $(op list users | jq -r '.[] | .uuid'); do
    echo $(op get user $user | jq -r '.firstName + " " + .lastName + " (" + .state + ")"')
    echo "================="
    for currentGroup in $(op list groups | jq -r '.[] | .uuid'); do
        groupName=$(op get group $currentGroup | jq -r '.name')
        for currentUser in $(op list users --group=$currentGroup | jq -r '.[] | .uuid'); do
            if [ "$currentUser" == "$user" ]; then
                echo $groupName
            fi
        done
    done
    echo
done

    This will (slowly) produce a report like this:

    Member 1 (state)
=================
Group 1
Group 2
Group 3

Member 2 (state)
=================
Group 1

    e.g.

    Ben Woodruff (A)
=================
Recovery
Owners
Administrators
Team Members
Operations
Commissioners
Financial

Joe User (A)
=================
Team Members
Operations

    and so on.

    Ben

  • rlarranaga
    rlarranaga
    Community Member

    Hey Ben, Thanks a lot.
    While it looks like the code does what it is supposed to, I think the delays come from the calls to 1password server. - To the point that i get timeouts and connection refused messages, which does not let me finish the script.....
    Thanks anyway.

  • Ben
    Ben

    For sure... it is pinging the server a lot in order to do this. If you can find someone to write this in any sort of language that supports multidimensional arrays I think the number of times op has to be run could be reduced significantly. Unfortunately bash just doesn't have that sort of complex array support. I've asked my colleagues if they're aware of any efficiencies that could be made here. Either way I'm happy to leave the thread open to see if anyone from the community has any other suggestions or is willing to translate to a more appropriate language.

    Ben

  • Ben
    Ben

    @rlarranaga

    My colleague @felix_1p re-wrote this and it uses less calls to op now, so it should work better. It does not currently include the state of the user, but we could probably work that in if needed. Please let me know if this works for you.

    #!/bin/sh

# Get all group IDs and names
# Results in <group_uuid>|<group_name>
op list groups | jq -r '.[]|.uuid + "|" + .name' |

    # Get all users by group
    # Results in <user_name>|<group_name>
    while read line; do
        group_uuid=$(echo "$line" | cut -f 1 -d "|")
        group_name=$(echo "$line" | cut -f 2 -d "|")
        op list users --group "$group_uuid" < /dev/null | jq -r '.[]|.name' | sed 's/$/'"|$group_name/"
    done | sort |

    # Print groups grouped by user
    while read line; do
        user=$(echo "$line" | cut -f 1 -d '|')
        group=$(echo "$line" | cut -f 2 -d '|')
        if [ "$user" != "$current_user" ]; then
            current_user=$user
            echo ""
            echo "$current_user"
            echo "================="
        fi
        echo "$group"
    done

    Ben

This discussion has been closed.