Skip to content

users.md

Latest commit

 

History

History
87 lines (60 loc) · 2.8 KB

users.md

File metadata and controls

87 lines (60 loc) · 2.8 KB

User Account Examples

Queries relating to user accounts, API tokens, roles, and offboarding.

See also:

  • devices.md for finding devices created by a specific user
  • collectors.md for finding collectors registered by a specific user

Export users by userid

Show the id and username for users with id between 2 and 5, sort by reverse username, and put in csv format:

elm -f csv AdminList -f id,username -S -username -F id\>:2,id\<:5

Find a user account and check its status

Useful when a staff member leaves — check whether their account is suspended, what roles they hold, and whether they have active API tokens or collectors.

# Find the account and check status
elm AdminList -s0 -f id,username,firstName,lastName,status,twoFAEnabled | \
  jq '.AdminList[] | select((.firstName + " " + .lastName) | ascii_downcase | contains("acme user"))'

Compare against a known-active account to confirm which fields indicate suspension:

elm AdminList -s0 -f id,username,firstName,lastName,status,twoFAEnabled | \
  jq '.AdminList[] | select(.username == "active.user@acme.com" or .username == "departed.user@acme.com")'

Audit all active API tokens

Find every user who has an active API token — useful as a periodic security check, especially after staff turnover.

apiTokens.status filters natively: 2 = active, 1 = disabled. This covers both LMv1 keys and bearer tokens — the type field distinguishes them, not the status:

elm -f csv AdminList -s0 -f username,firstName,lastName -F apiTokens.status:2

Offboarding checks — collectors, devices, and API tokens

After locating the user record above, check for resources they own.

Check for collectors registered by the user:

elm CollectorList -s0 -f id,hostname,description,createdBy | \
  jq '.CollectorList[] | select((.createdBy // "") | ascii_downcase | contains("acme user"))'

Check for devices created by the user:

elm DeviceList -s0 -f id,displayName,createdBy -F createdBy~"acme user" | \
  jq '.DeviceList[]'

The apiTokens field on the admin record will be an empty array if none exist. A suspended account with no API tokens, collectors, or devices is fully offboarded.

meta

Update the ToC on this page by running the following:

gh-md-toc --insert --no-backup --skip-header examples/users.md