Pull a list of all possible role privileges?

This has vexxed me for a while so I (Copilot) spun this up. It maps all of the json privelege definitions to what the user sees for all roles in the org except user and admin (which never change). Uses keyring for auth. Outputs a pivot table of all the roles with privilege per role. 

import requests
import csv
import keyring
import io

PORTAL_URL = "https://[your agol url]"
CUSTOM_ROLES_URL = f"{PORTAL_URL}/sharing/rest/portals/self/roles"
PORTAL_INFO_URL = f"{PORTAL_URL}/sharing/rest/portals/self"
KEYRING_SERVICE = "AGOL"
USERNAME = "[your agol psa]"

# --------------------------------------------------------------------
# Embedded PRIVILEGE_MAPPING.csv (JSON,PRIVILEGE)
# Source: PRIVILEGE_MAPPING.csv provided by user
# --------------------------------------------------------------------
PRIVILEGE_MAPPING_CSV = """JSON,PRIVILEGE
premium:user:basemaps, Premium privileges: Basemaps: Basemap styles service: access the basemap styles service.
premium:user:staticbasemaptiles, Premium privileges: Basemaps: Static basemap tiles: access the static basemap tiles service.
premium:user:staticmaps, Premium privileges: Static maps: Static maps service (beta): access the static maps service.
premium:user:places, Premium privileges: Places: Place finding: access the places service.
premium:user:geocode:stored, Premium privileges: Geocoding: Geocode (stored): access the geocoding service and perform stored geocodes.
premium:user:geocode:temporary, Premium privileges: Geocoding: Geocode (not stored): access the geocoding service and perform geocodes that are no tstored.
premium:user:networkanalysis:routing, Premium privileges: Routing: Routing: access the  routingservice and perform standard routing operations.
premium:user:networkanalysis:closestfacility, Premium privileges: Routing: Closest facility: access the routing service and perform closest facility routing operations.
premium:user:networkanalysis:locationallocation, Premium privileges: Routing: Location allocation: access the routing service and perform locational location operations.
premium:user:networkanalysis:optimizedrouting, Premium privileges: Routing: Optimized routing: access the routing service and perform optimized routing operations.
premium:user:networkanalysis:origindestinationcostmatrix, Premium privileges: Routing: Origin/destination cost matrix: access the routing service and generate travel cost matrices.
premium:user:networkanalysis:servicearea, Premium privileges: Routing: Service area: access the routing service and generate service areas.
premium:user:networkanalysis:vehiclerouting, Premium privileges: Routing: Multi-vehicle routing: access the routing service and perform fleet routing operations.
premium:user:networkanalysis:lastmiledelivery, Premium privileges: Routing: Last mile: access the routing service and perform routing operations for lastmile delivery.
premium:user:networkanalysis:snaptoroads, Premium privileges: Routing: Snap to roads: perform network analysis tasks suchas snap GPS track points to roads.
premium:user:geoenrichment, Premium privileges: Data enrichment: GeoEnrichment service: access the GeoEnrichment service.
premium:user:elevation, Premium privileges: Elevation: Elevation service: access the elevation service.
premium:user:spatialanalysis, Spatial Analyst privileges: Feature analysis: Spatial analysis service: access the spatial analysis service.
premium:publisher:rasteranalysis, Spatial Analyst privileges: Image analysis: Image analysis service: access image services to perform analysis.
portal:user:useAIAssistants, General privileges: AI assistants: Use AI assistants: use generative AI and ArcGIS assistants.
portal:user:viewOrgUsers, General privileges: Members: View: view members of the organization.
portal:user:arcgispro:takeLicenseOffline, General privileges: Members: Take ArcGIS Pro license offline: take their ArcGIS Pro license offline.
portal:user:createGroup, General privileges: Groups: Create, update, and delete: create, edit, and delete their own groups.
portal:user:joinGroup, General privileges: Groups: Join organizational groups: join groups within your organization.
portal:user:joinNonOrgGroup, General privileges: Groups: Join external groups: join groups external to your organization.
portal:user:viewOrgGroups, General privileges: Groups: View groups shared with organization: view groups shared with the organization.
portal:user:invitePartneredCollaborationMembers, General privileges: Groups: Invite partnered organization members: invite members from partnered collaboration organizations to groups.
portal:user:addExternalMembersToGroup, General privileges: Groups: Add members from other organizations: create groups that allow members from other organizations, as well as invite external members to groups.
portal:user:createItem, General privileges: Content: Create, update, and delete: create, edit, and delete their own content.
portal:publisher:publishFeatures, General privileges: Content: Publish hosted feature layers: publish hosted feature layers from shapefiles, CSVs, etc.
portal:publisher:publishTiles, General privileges: Content: Publish hosted tile layers: publish hosted tile layers from tile packages, features, etc.
portal:publisher:publishScenes, General privileges: Content: Publish hosted scene layers: publish hosted scene layers.
portal:publisher:publishTiledImagery, General privileges: Content: Published hosted tiled imagery layers: publish hosted tiled imagery layers from a single image or collection of images. Requires an ArcGIS Image for ArcGIS Online user type extension.
portal:publisher:publishDynamicImagery, General privileges: Content: Publish hosted dynamic imagery layers: publish hosted dynamic imagery layers from a single image or collection of images.
portal:user:viewOrgItems, General privileges: Content: View content shared with organization: view content shared to the organization.
portal:user:viewTracks, General privileges: Content: View location tracks: view members' location tracks via shared track views when location sharing is enabled.
portal:user:reassignItems, General privileges: Content: Reassign content: reassign ownership of content owned by the account to another member.
portal:user:receiveItems, General privileges: Content: Receive content: receive content assigned to them by another member.
portal:publisher:createDataPipelines, General privileges: Content: Create and run data pipelines: create, edit, and run data pipelines.
portal:publisher:publishRealTimeAnalytics, General privileges: Content: Publish real-time analytics: publish real-time analytics to analyze and process real-time data using ArcGIS Velocity.
portal:user:categorizeItems, General privileges: Content: Categorize items: set the category of items you own.
portal:publisher:publishBigDataAnalytics, General privileges: Content: Publish big data analytics: publish big data analytics and process historical observation data using ArcGIS Velocity.
portal:publisher:publishFeeds, General privileges: Content: Publish feeds: publish feeds.
portal:user:generateApiTokens, General privileges: Content: Generate API keys: generate API keys.
portal:user:assignPrivilegesToApps, General privileges: Content: Assign privileges to OAuth 2.0 applications: assign privileges to OAuth 2.0 applications.
portal:user:shareToGroup, General privileges: Sharing: Share with groups: share content to groups.
portal:user:shareToOrg, General privileges: Sharing: Share with organization: share content to your organization.
portal:user:shareToPublic, General privileges: Sharing: Share with public: share their content publicly if permitted by the organization's public sharing policy.
portal:user:shareGroupToOrg, General privileges: Sharing: Make groups visible to organization: make groups discoverable by your organization.
portal:user:shareGroupToPublic, General privileges: Sharing: Make groups visible to public: make groups discoverable by the public.
opendata:user:designateGroup, General privileges: Sharing: Make groups available to Open Data: designate groups as being available for use in Open Data sites.
features:user:edit, General privileges: Features: Edit: edit features in editable layers that are not public, based on the edit options enabled on the layer.
features:user:fullEdit, General privileges: Features: Edit with full control: add, delete, and update features in an editable, hosted feature layer, regardless of the editing options enabled on the layer.
premium:publisher:createNotebooks, General privileges: Premium content: Create notebooks: create and edit interactive notebooks.
premium:publisher:scheduleNotebooks, General privileges: Premium content: Schedule notebooks: schedule future automated runs of a notebook.
premium:publisher:createAdvancedNotebooks, General privileges: Premium content: Create advanced notebooks: import and use ArcPy modules in ArcGIS Notebooks.
premium:user:demographics, General privileges: Premium content: Demographic maps: access demographic maps in ArcGIS Living Atlas.
premium:user:featurereport, General privileges: Premium content: Feature report: create feature reports in ArcGIS Survey123.
portal:user:runWebTool, General privileges: Premium content: Run web tools: run web tools.
portal:admin:viewUsers, Administrative privileges: Members: View all: view full member account information within your organization.
portal:admin:updateUsers, Administrative privileges: Members: Update: reset passwords, update member account information, and update member categories within your organization.
portal:admin:deleteUsers, Administrative privileges: Members: Delete: delete member accounts within your organization.
portal:admin:inviteUsers, Administrative privileges: Members: Add: invite members to your organization.
portal:admin:disableUsers, Administrative privileges: Members: Disable: enable and disable member accounts within your organization.
portal:admin:changeUserRoles, Administrative privileges: Members: Change roles: change the role a member account is assigned. Note, only members with the Administrator role can assign or unassign the Administrator role to other accounts.
portal:admin:manageLicenses, Administrative privileges: Members: Manage licenses: assign licenses to members of your organization.
portal:admin:updateMemberCategorySchema, Administrative privileges: Members: Manage categories: configure organization member categories.
portal:admin:viewGroups, Administrative privileges: Groups: View all: view all groups within your organization.
portal:admin:updateGroups, Administrative privileges: Groups: Update: update groups within your organization.
portal:admin:deleteGroups, Administrative privileges: Groups: Delete: delete groups within your organization.
portal:admin:reassignGroups, Administrative privileges: Groups: Reassign ownership: reassign groups to other members within your organization.
portal:admin:assignToGroups, Administrative privileges: Groups: Assign members: assign your members to, update your member's group role, and remove your members from groups within your organization.
portal:admin:manageEnterpriseGroups, Administrative privileges: Groups: Link to organization-specific group: link group membership to an organization-specific group.
portal:admin:createUpdateCapableGroup, Administrative privileges: Groups: Create with update capabilities: create groups with update capabilities.
portal:admin:createLeavingDisallowedGroup, Administrative privileges: Groups: Create with leaving disallowed: create and own groups that do not allow members to leave (administrative groups).
portal:admin:viewItems, Administrative privileges: Content: View all: view all content within your organization.
portal:admin:updateItems, Administrative privileges: Content: Update items: update and categorize content and edit hosted feature layers in your organization.
portal:admin:deleteItems, Administrative privileges: Content: Delete items: delete content within your organization.
portal:admin:reassignItems, Administrative privileges: Content: Reassign item ownership: reassign content to other members within your organization.
portal:admin:categorizeItems, Administrative privileges: Content: Categorize items: set the categories of organization content.
portal:admin:updateItemCategorySchema, Administrative privileges: Content: Manage categories: configure organization content categories.
portal:publisher:publishServerGPServices, Administrative privileges: Content: Publish web tools: publish web tools.
portal:admin:shareToOrg, Administrative privileges: Content: Share member content with organization: share content owned by other members in your organization with the organization.
portal:admin:shareToPublic, Administrative privileges: Content: Share member content with public: share content owned by other members in your organization with the public.
portal:admin:createReports, Administrative privileges: Content: Create and manage administrative reports: create and manage administrative reports for your organization
portal:admin:manageSecurity, Administrative privileges: Organization settings: Security and infrastructure: manage the organization's security and infrastructure settings.
portal:admin:manageWebsite, Administrative privileges: Organization settings: Organization website: manage the organization's website settings.
portal:admin:manageCollaborations, Administrative privileges: Organization settings: Collaborations: manage the organization's collaborations.
portal:admin:manageCredits, Administrative privileges: Organization settings: Credits: manage the organization's credit budgeting settings.
portal:admin:manageRoles, Administrative privileges: Organization settings: Member roles: manage the organization's member roles.
portal:admin:manageUtilityServices, Administrative privileges: Organization settings: Utility services: manage the organization's utility service settings
marketplace:admin:manage, Administrative privileges: Organization settings: Create and manage: create listings, list items, manage subscriptions within ArcGIS Marketplace, as well as manage purchasers and contact information for your organization. Use of this privilege depends on your organization obtaining listing and publishing access to the ArcGIS Marketplace.
marketplace:admin:purchase, Administrative privileges: Organization settings: Purchase and get free products: send purchase requests and access free products from providers in ArcGIS Marketplace. To allow members to purchase products using credit cards, you must designate them as Marketplace purchasers.
marketplace:admin:startTrial, Administrative privileges: Organization settings: Start trials: start trial subscriptions within ArcGIS Marketplace
portal:admin:manageWebhooks, Administrative privileges: Organization settings: Webhooks: create, edit, and delete all webhooks in your organization.
portal:publisher:bulkPublishFromDataStores, General privileges: Content: Publish from data store: grants the owner of a database data store item the ability to publish feature and map layers from all feature classes and tables that can be accessed in the database
portal:publisher:publishServerServices, General privileges: Content: Publish server service: grants the ability to publish ArcGIS Server web layers to ArcGIS Server sites that are federated with the portal. These services often reference registered data from geodatabases or file-based data sources. This privilege is also required for members who will bulk publish layers from a data store item.
portal:publisher:registerDataStores, General privileges: Content: Register data store: grants the ability to add data store items to the portal.
portal:user:allowBetaAccess, Administrative privileges: Organization settings: Beta Access: access Esri beta apps and capabilities.
portal:user:createWorkflow, General privileges: Content: Workflow: create workflow items.
premium:publisher:geoanalytics, Premium privileges: Premium content: Geoanalytics: perform credit-consuming geoanalytics.
premium:user:geocode, Premium privileges: Premium content: Geocoding: perform credit-consuming geocoding tasks with ArcGIS World Geocoding Service (or a view of this locator).
premium:user:networkanalysis, Premium privileges: Premium content: Network Analysis: perform network analysis tasks such as routing and drive-time areas.
"""

# -------------------------------
# Utility: load mapping from CSV
# -------------------------------
def load_privilege_mapping(csv_text: str) -> dict:
    mapping = {}
    reader = csv.DictReader(io.StringIO(csv_text))
    for row in reader:
        code = (row.get("JSON") or "").strip()
        label = (row.get("PRIVILEGE") or "").strip()
        if code:
            mapping[code] = label
    return mapping

def get_token(username, password):
    token_url = f"{PORTAL_URL}/sharing/rest/generateToken"
    payload = {
        "username": username,
        "password": password,
        "client": "referer",
        "referer": "https://www.arcgis.com",
        "expiration": 60,
        "f": "json",
    }
    resp = requests.post(token_url, data=payload)
    resp.raise_for_status()
    data = resp.json()
    if "token" not in data:
        raise Exception(f"Token request failed: {data}")
    return data["token"]

def fetch_all_custom_roles(token):
    """
    Try to get *all* roles (including built-ins if the server honors 'all=true').
    If the server only returns custom roles, we still get custom roles w/ privileges here.
    """
    params = {
        "f": "json",
        "token": token,
        "num": 1000,               # get more than the default 10
        "returnPrivileges": "true",
        "all": "true"              # ask for built-ins too (some deployments honor this)
    }
    resp = requests.get(CUSTOM_ROLES_URL, params=params)
    resp.raise_for_status()
    data = resp.json()
    roles = data.get("roles", [])
    # Handle pagination
    next_start = data.get("nextStart", -1)
    while isinstance(next_start, int) and next_start != -1:
        params.update({"start": next_start})
        resp = requests.get(CUSTOM_ROLES_URL, params=params)
        resp.raise_for_status()
        page = resp.json()
        roles.extend(page.get("roles", []))
        next_start = page.get("nextStart", -1)
    return roles

def fetch_builtin_roles(token):
    """
    Fallback: pull built-ins from /portals/self -> defaultUserRoles.
    Built-ins do not expose full privilege arrays via REST, so we keep them present
    but they will show 'No' for each privilege in the pivot, unless you provide
    explicit built-in role privilege sets.
    """
    params = {"f": "json", "token": token}
    resp = requests.get(PORTAL_INFO_URL, params=params)
    resp.raise_for_status()
    info = resp.json()
    builtins = info.get("defaultUserRoles", [])
    normalized = []
    for r in builtins:
        normalized.append({
            "id": r.get("role"),             # e.g., 'org_user'
            "name": r.get("name", r.get("role", "")),
            "privileges": []                 # no list exposed via REST
        })
    return normalized

def dedupe_roles(all_roles):
    """
    Deduplicate by 'id' (or fallback to 'name' if 'id' is missing).
    Prefer entries that include 'privileges'.
    """
    by_id = {}
    for role in all_roles:
        key = role.get("id") or role.get("name")
        if not key:
            continue
        if key in by_id:
            have_privs = bool(by_id[key].get("privileges"))
            new_privs = bool(role.get("privileges"))
            if not have_privs and new_privs:
                by_id[key] = role
        else:
            by_id[key] = role
    return list(by_id.values())

def map_privilege_codes_to_labels(priv_codes, mapping):
    """
    Given a list of privilege codes (strings), return the mapped labels.
    Unknown codes fall back to the raw code text.
    """
    labels = []
    for code in (priv_codes or []):
        labels.append(mapping.get(code, code))
    return labels

def write_privilege_matrix_csv(roles, mapping, filename="roles_privilege_matrix.csv"):
    """
    Pivot output:
      Row: Privilege (Mapped)
      Columns: Role names
      Cell: 'Yes' if role has privilege, else 'No'
    """
    # Collect all role names and each role's mapped privileges
    role_names = []
    role_to_privs = {}  # role_name -> set(mapped labels)
    for role in roles:
        role_name = role.get("name", "") or role.get("id", "")
        # If duplicate role names exist, append id to disambiguate
        if role_name in role_to_privs:
            role_name = f"{role_name} ({role.get('id','')})"
        role_names.append(role_name)
        mapped_labels = set(map_privilege_codes_to_labels(role.get("privileges", []), mapping))
        role_to_privs[role_name] = mapped_labels

    # Build the union of all mapped privileges observed
    all_priv_labels = set()
    for labels in role_to_privs.values():
        all_priv_labels.update(labels)
    # Remove empty placeholders if present
    all_priv_labels.discard("")  # guard against stray empties

    # Sort privileges for consistent output
    sorted_priv_labels = sorted(all_priv_labels)

    # Write CSV matrix
    with open(filename, "w", newline="", encoding="utf-8") as f:
        w = csv.writer(f)
        # Header: Privilege (Mapped) + one column per role
        w.writerow(["Privilege (Mapped)"] + role_names)
        # Rows: each privilege label, with Yes/No per role
        for plabel in sorted_priv_labels:
            row = [plabel]
            for rname in role_names:
                row.append("Yes" if plabel in role_to_privs[rname] else "No")
            w.writerow(row)

def main():
    # Load mapping from embedded CSV text
    privilege_mapping = load_privilege_mapping(PRIVILEGE_MAPPING_CSV)

    # Keyring password for the hard-coded username
    password = keyring.get_password(KEYRING_SERVICE, USERNAME)
    if not password:
        raise Exception(f"Password for '{USERNAME}' not found in keyring.")

    # Authenticate
    token = get_token(USERNAME, password)

    # Fetch roles
    custom_roles = fetch_all_custom_roles(token)
    builtin_roles = fetch_builtin_roles(token)

    # Merge and dedupe
    merged = dedupe_roles(builtin_roles + custom_roles)

    # Ensure "User" exists even if server doesn’t surface it via /roles (will have no privileges via REST)
    if not any((r.get("id") == "org_user" or r.get("name") == "User") for r in merged):
        merged.append({
            "id": "org_user",
            "name": "User",
            "privileges": []  # built-in; REST doesn't return explicit privilege list
        })

    # Write pivoted CSV: Privilege as rows, Roles as columns
    write_privilege_matrix_csv(merged, privilege_mapping)
    print("CSV written: roles_privilege_matrix.csv")

if __name__ == "__main__":
    main()