topic Re: Generate a list of users and assigned roles for them in Splunk Search

Generate a list of users and assigned roles for them

splunklearner — Tue, 29 Jul 2025 12:07:11 GMT

We are having multiple roles created in Splunk restricted by their index and users will be added to this role via AD group and we use LDAP method for authentication.

Below is authentication.conf

[authentication] authType = LDAP authSettings = uk_ldap_auth [uk_ldap_auth] SSLEnabled = 1 bindDN = CN=Infodir-HBEU-INFSLK,OU=Service Accounts,DC=InfoDir,DC=Prod,DC=FED groupBaseDN = OU=Splunk Network Log Analysis UK,OU=Applications,OU=Groups,DC=Infodir,DC=Prod,DC=FED groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = aa-lds-prod.uk.fed port = 3269 userBaseDN = ou=HSBCPeople,dc=InfoDir,dc=Prod,dc=FED userNameAttribute = employeeid realNameAttribute = displayname emailAttribute = mail [roleMap_uk_ldap_auth] <roles mapped with AD group created>

Checked this post - https://community.splunk.com/t5/Security/How-can-I-generate-a-list-of-users-and-assigned-roles/m-p/194811 and try to give the same command -

|rest /services/authentication/users splunk_server=local 
|fields title roles realname |rename title as userName|rename realname as Name

Given this in SH search, but hardly returning only 5 results but we have nearly 100 roles created. Even given splunk_server=*, still the same result.

I am having admin role as well and I hope I have the needed capabilities. Not sure what am I missing here? Any thoughts?

Re: Generate a list of users and assigned roles for them

livehybrid — Tue, 29 Jul 2025 12:16:15 GMT

Hi @splunklearner

In your authorize.conf file you have a stanza named [role_system_admin] remove the next two attributes:

edit_roles_grantable = enabled

grantableRoles = system_admin

These lines were required in the older versions of Splunk. Now however they are causing the issues you are seeing.

Check out https://community.splunk.com/t5/Security/Users-missing-from-Access-Control/m-p/487058#M11170 for more info on this fix.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful

Marking it as the solution if it resolved your issue

Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

Re: Generate a list of users and assigned roles for them

splunklearner — Tue, 29 Jul 2025 12:24:20 GMT

But in local/authorize.conf this stanza is not there

Re: Generate a list of users and assigned roles for them

PickleRick — Tue, 29 Jul 2025 16:44:22 GMT

Wait. Are you saying that you're getting only a handful of results meaning that you don't see all users? (because that's usually the case @livehybrid described - problematic setting in role definitions cause users to not show up properly in some places).

Or do you mean that you have 100 roles defined in your system and ony see 5 roles assigned to the users? This case is acctually normal because Splunk doesn't expand inherited roles. You can see all effective capabilities per user, but you can't see any "intermediate" roles - just the ones explicitly assigned to a user.

Re: Generate a list of users and assigned roles for them

splunklearner — Tue, 29 Jul 2025 17:10:28 GMT

I mean we have 100 roles already assigned to the users (AD groups) and we can see only 5 roles when giving that search... We want to see all roles assigned to each user... AD group consists of many members

Re: Generate a list of users and assigned roles for them

PickleRick — Tue, 29 Jul 2025 17:33:53 GMT

Ok. As I said - you will only see the groups directly assigned by group mappings - no inherited roles. That's one thing.

Another thing - as far as I remember, the user is assigned roles from LDAP mapping at the time they are logging in. After that the provisioned user stays the way it is until the user logs in again, LDAP gets contacted and then user's roles are synchronized to LDAP groups.

So if - for example - your users last logged in a month ago but you added them to various LDAP groups last week, you won't see that in Splunk until they log in.

Re: Generate a list of users and assigned roles for them

splunklearner — Tue, 29 Jul 2025 17:40:20 GMT

They are logging in daily but still can't able to see their name and title

Re: Generate a list of users and assigned roles for them

livehybrid — Tue, 29 Jul 2025 21:34:31 GMT

Ah my apologies, I misunderstood previously.

As @PickleRick said, Splunk will only be aware of any changes/additional/removal of groups when a user logs in, so this is something worth considering, although isnt the issue here.

Can I clarify - the 100s of roles that you're referring to here, are these *all* Splunk roles that also exist in Splunk where the AD role is mapped to a specific (unique) Splunk role?

The REST endpoints will only return the Splunk role for a user not all their AD roles - I just want to make sure we're on the same page before I dig deeper! Thanks

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing