https://community.splunk.com/t5/Security/Splunk-Search-that-returns-ALL-the-user-ROLES-assigned-to-all/m-p/112829#M3561 <P>Thank you.</P> Tue, 01 Nov 2016 07:29:36 GMT chris 2016-11-01T07:29:36Z https://community.splunk.com/t5/Security/Splunk-Search-that-returns-ALL-the-user-ROLES-assigned-to-all/m-p/112825#M3557 <P>I am looking to run a search that provides a complete list of user roles assigned to each and every index so I can do an audit of who has access to which indexes. I know i can do this manually by reviewing every index but I am looking for a faster way to do it.</P> Tue, 14 Jan 2014 17:55:01 GMT https://community.splunk.com/t5/Security/Splunk-Search-that-returns-ALL-the-user-ROLES-assigned-to-all/m-p/112825#M3557 rdelmark 2014-01-14T17:55:01Z https://community.splunk.com/t5/Security/Splunk-Search-that-returns-ALL-the-user-ROLES-assigned-to-all/m-p/112826#M3558 <P>Give this a try:</P> <PRE><CODE>| rest /services/authorization/roles | table title srchIndexesAllowed </CODE></PRE> Tue, 14 Jan 2014 18:31:33 GMT https://community.splunk.com/t5/Security/Splunk-Search-that-returns-ALL-the-user-ROLES-assigned-to-all/m-p/112826#M3558 martin_mueller 2014-01-14T18:31:33Z https://community.splunk.com/t5/Security/Splunk-Search-that-returns-ALL-the-user-ROLES-assigned-to-all/m-p/112827#M3559 <P>This is great, thank-you it works very well.</P> Tue, 14 Jan 2014 20:55:46 GMT https://community.splunk.com/t5/Security/Splunk-Search-that-returns-ALL-the-user-ROLES-assigned-to-all/m-p/112827#M3559 rdelmark 2014-01-14T20:55:46Z https://community.splunk.com/t5/Security/Splunk-Search-that-returns-ALL-the-user-ROLES-assigned-to-all/m-p/112828#M3560 <P>On the similar line, but more detailed Index-Role-User mapping</P> <PRE><CODE>| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI") | join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role | mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI") | rex field=srchIndexesAllowed mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role | join type=left max=0 Role [| rest /services/authentication/users | table title , roles | mvexpand roles | rename title as User, roles as Role] </CODE></PRE> <P>Sample output:</P> <PRE><CODE>index_name Role User --------------------------------- _audit admin admin _blocksignature admin admin _internal admin admin _thefishbucket admin admin history admin admin history power history user main admin admin main dummy dummy </CODE></PRE> <P>Blank User column means not user have been assigned that role.</P> Tue, 14 Jan 2014 21:07:49 GMT https://community.splunk.com/t5/Security/Splunk-Search-that-returns-ALL-the-user-ROLES-assigned-to-all/m-p/112828#M3560 somesoni2 2014-01-14T21:07:49Z https://community.splunk.com/t5/Security/Splunk-Search-that-returns-ALL-the-user-ROLES-assigned-to-all/m-p/112829#M3561 <P>Thank you.</P> Tue, 01 Nov 2016 07:29:36 GMT https://community.splunk.com/t5/Security/Splunk-Search-that-returns-ALL-the-user-ROLES-assigned-to-all/m-p/112829#M3561 chris 2016-11-01T07:29:36Z https://community.splunk.com/t5/Security/Splunk-Search-that-returns-ALL-the-user-ROLES-assigned-to-all/m-p/112830#M3562 <P>This was very useful</P> Wed, 14 Dec 2016 15:09:28 GMT https://community.splunk.com/t5/Security/Splunk-Search-that-returns-ALL-the-user-ROLES-assigned-to-all/m-p/112830#M3562 kalraj3 2016-12-14T15:09:28Z