Site Permissions - Privilege Access Review

Is there any way to give a non-MO account access to pull site permission so that it can be exported via automated script execution via Webreports or Rest API? We are trying to gather this information for access reviews to identify operators who have access to deploy or otherwise manipulate servers via BigFix. Here is what i’ve tried so far to get this information.

RestAPI - I can gather this with RestAPI but seems like I can only gather it as a Master operator. I believe it was with the release of 10.0.8 that this was made available but with MO account I can run a rest command via cli to
iem.exe get https://Servername:52311/api/site/<Sitetype>/<SiteName>/permissions --outFile c:\temp\bf_permissions.xml
But if i run that same rest api command as a non-master operator account I only return the permissions for that specific account. Ideally I’d like to be able to use restapi to pull the permissions, but don’t really like the idea of using a separate master operator account specifically to run this restapi command.

I have tried vis session relevance, but haven’t been able to get it in a readable format if I try to get readers and writers in the same query.
(name of it, names of readers of it, names of writers of it) of all bes sites whose (custom site flag of it) whose ((it contains “Site1” or it contains “Site2” or it contains “Site3” or it contains “Site4”) of name of it)

I have been able to pull a usable report via the Excel connector but it’s not very easy to take that and make it an automated process.
( item 0 of it as string & “$x$” &
item 1 of it as string & “$x$” &
item 2 of it as string & “$x$” &
item 3 of it as string & “$x$” &
item 4 of it as string )
of (
(if (exists Display name of it | false)
then (concatenations “%0A” of (Display name of it as string))
else ("")),
(if (exists Description of it | false)
then (concatenations “%0A” of (Description of it as string))
else ("")),
(if (exists Name of it | false)
then (concatenations “%0A” of (Name of it as string))
else ("")),
(if (exists Writers of it and exists Names of Writers of it | false)
then (concatenations “%0A” of (Names of Writers of it as string))
else ("")),
(if (exists Readers of it and exists Names of Readers of it | false)
then (concatenations “%0A” of (Names of Readers of it as string))
else ("")))
of
BES Custom Sites
whose (
(Name of it as lowercase = “Site1”) OR
(Name of it as lowercase = “Site2”) OR
(Name of it as lowercase = “Site3”) OR
(Name of it as lowercase = “Site4”))

I’m not sure I’d want a non-master-operator to be able to list all the other user names in the system, or to read the sites & permissions settings for sites to which they do not have rights themselves.

In some MSP / shared-server configurations, listing the names of other operators might be sensitive, especially if we’re using a SAML backend where the user name exposes their company name as well.

Edit: I also don’t like using Master Operator for this either. I don’t think we have a better option for now, though.

Ideally i’d prefer to give a non-mo account access to view permissions but not have create action permissions, write permissions to tasks, delete objects, etc. That is my concern of having an MO account doing it, we can’t restrict the other things that it could do if that account was compromised.

If the Session Relevance is giving what you want, you may be able to turn that into a custom Web Report, and set the report to Archive/Email daily. Would that meet your need?

Session relevance is similar but in its current state not really in a digestible format and not sure it would be very readable in a custom report either.