Getting a list of users including admin details, from either browser or CLI

Hello:
I am looking to get monthly list of details from my 1password account.
I am basically after a list of users with their status and privilege level. The export i get from the browser does not show admin access for users, and i have been playing around with the CLI, but i haven't found a way to list the groups a users is part of.
Would you be able to help me out?
Thanks.
Regards


1Password Version: 7.4.763
Extension Version: Not Provided
OS Version: Windows 10 1909
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    Hi @rlarranaga

    Other than looking at the my.1password.com > People > [Person] page for each person, as far as I'm aware, there isn't a native way to do this. The best I think we can offer at this point is some scripting around the CLI. There is probably a more efficient way to do this... but here is what I was able to come up with:

    for currentGroup in $(op list groups | jq -r '.[] | .uuid'); do
        op get group $currentGroup | jq -r '.name'
        echo "============"
        op list users --group=$currentGroup | jq -r '.[] | .name'
        echo
    done
    

    This will list the members of each of your groups in the format:

    Group
    ============
    Member 1
    Member 2
    Member 3
    

    etc. I believe you're asking for a way to do this by user (instead of by group). I suspect someone with a stronger scripting background than I could build a script that would build an array for each person, such that every time a user's name is found in a group that group would be added to the array for that user. Then you'd echo out the array for each user.

    Does that help? Please let me know.

    Ben

  • BenBen AWS Team

    Team Member

    After tinkering a fair bit further I found a way to do this, though it is wildly inefficient and will take quite a while to run even with a small team / small number of groups. It could almost certainly be done more efficiently using a different scripting/programming language, but I think this is about the best that can be hoped for from bash:

    for user in $(op list users | jq -r '.[] | .uuid'); do
        echo $(op get user $user | jq -r '.firstName + " " + .lastName + " (" + .state + ")"')
        echo "================="
        for currentGroup in $(op list groups | jq -r '.[] | .uuid'); do
            groupName=$(op get group $currentGroup | jq -r '.name')
            for currentUser in $(op list users --group=$currentGroup | jq -r '.[] | .uuid'); do
                if [ "$currentUser" == "$user" ]; then
                    echo $groupName
                fi
            done
        done
        echo
    done
    

    This will (slowly) produce a report like this:

    Member 1 (state)
    =================
    Group 1
    Group 2
    Group 3
    
    Member 2 (state)
    =================
    Group 1
    

    e.g.

    Ben Woodruff (A)
    =================
    Recovery
    Owners
    Administrators
    Team Members
    Operations
    Commissioners
    Financial
    
    Joe User (A)
    =================
    Team Members
    Operations
    

    and so on.

    Ben

  • Hey Ben, Thanks a lot.
    While it looks like the code does what it is supposed to, I think the delays come from the calls to 1password server. - To the point that i get timeouts and connection refused messages, which does not let me finish the script.....
    Thanks anyway.

  • BenBen AWS Team

    Team Member

    For sure... it is pinging the server a lot in order to do this. If you can find someone to write this in any sort of language that supports multidimensional arrays I think the number of times op has to be run could be reduced significantly. Unfortunately bash just doesn't have that sort of complex array support. I've asked my colleagues if they're aware of any efficiencies that could be made here. Either way I'm happy to leave the thread open to see if anyone from the community has any other suggestions or is willing to translate to a more appropriate language.

    Ben

  • BenBen AWS Team

    Team Member

    @rlarranaga

    My colleague @felix_1p re-wrote this and it uses less calls to op now, so it should work better. It does not currently include the state of the user, but we could probably work that in if needed. Please let me know if this works for you.

    #!/bin/sh
    
    # Get all group IDs and names
    # Results in <group_uuid>|<group_name>
    op list groups | jq -r '.[]|.uuid + "|" + .name' |
    
        # Get all users by group
        # Results in <user_name>|<group_name>
        while read line; do
            group_uuid=$(echo "$line" | cut -f 1 -d "|")
            group_name=$(echo "$line" | cut -f 2 -d "|")
            op list users --group "$group_uuid" < /dev/null | jq -r '.[]|.name' | sed 's/$/'"|$group_name/"
        done | sort |
    
        # Print groups grouped by user
        while read line; do
            user=$(echo "$line" | cut -f 1 -d '|')
            group=$(echo "$line" | cut -f 2 -d '|')
            if [ "$user" != "$current_user" ]; then
                current_user=$user
                echo ""
                echo "$current_user"
                echo "================="
            fi
            echo "$group"
        done
    

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file