Export list of Users with associated roles and assigned environments

vschill · 21 August 2015 01:12

For audit purposes we would like to be able to export a list of all the user accounts in OD along with their permissions (roles, environments, etc.)

Is there a way to do this?

We are currently on version 2.6.3.886 but looking to move to v3 soon.

Michael_Richardson · 21 August 2015 05:32

Hi,

Thanks for getting in touch.

The way to do this is via the Octopus REST API.

Once you’ve created an API key (instructions can be found by following the link above), consuming the API via the (.NET client)[http://www.nuget.org/packages/Octopus.Client/] would look something like:

var repo = new OctopusRepository(new OctopusServerEndpoint("{your Octopus URL}", "{Your API Key}"));

var users = repo.Users.FindAll();

foreach (var user in users)
{
   var permissions = repo.Users.GetPermissions(user);
}

I hope this helps. Don’t hesitate to contact us if we can be of further assistance.

Regards,
Michael

Ethan_Andrus · 28 August 2015 19:26

I’d like to add a question to this. I’m trying to find a list of all user permission changes for the past x amount of time, 6 months or so. I reviewed the Github repo and explored the API on our Octopus site, but I didn’t find anything like that. I found all the permissions themselves, lists of user roles, and all the permissions users currently hold, but nothing on a history of permission changes. Is there anywhere in the API this information is accessible?

Thanks,
Ethan

Michael_Richardson · 4 September 2015 03:29

Hi Ethan,

Sorry, I missed your question added to this ticket.

This information is not easily accessible. Any time a user is added to team, or a team’s roles are changed, it is captured as an Event. And events can be queried via the API. But Events were designed to be an audit-system, not to be queried for this type of information. For example, adding Roles to a Team is simply recorded as an Event similar to as follows:

{
      "Id": "Events-663",
      "RelatedDocumentIds": [
        "Teams-1"
      ],
      "Category": "Modified",
      "UserId": "Users-1",
      "Username": "admin",
      "IdentityEstablishedWith": "Session cookie",
      "Occurred": "2015-09-04T03:13:06.390+00:00",
      "Message": "Team A Team was modified",
      "MessageHtml": "Team <a href='/r/Teams-1'>A Team</a> was modified",
      "MessageReferences": [
        {
          "ReferencedDocumentId": "Teams-1",
          "StartIndex": 5,
          "Length": 6
        }
      ],
      "Comments": null,
      "Details": "<span>{\r&para;<br>  \"Id\": \"Teams-1\",\r&para;<br>  \"Name\": \"A Team\",\r&para;<br>  \"MemberUserIds\": [\r&para;<br>    \"Users-20\"\r&para;<br>  ],\r&para;<br>  \"ExternalSecurityGroups\": [],\r&para;<br>  \"UserRoleIds\": [\r&para;<br>    \"userroles-packagepublisher\"</span><ins style=\"background:#e6ffe6;\">,\r&para;<br>    \"userroles-projectdeployer\"</ins><span>\r&para;<br>  ],\r&para;<br>  \"ProjectIds\": [],\r&para;<br>  \"EnvironmentIds\": []\r&para;<br>}</span>",
      "Links": {
        "Self": "/api/environments/Events-663"
      }
    }

Contained in the Details field is HTML which would show that a role was added. But as I mentioned, this is not designed to be queried.

Regards,
Michael