topic Re: How to write a search to list roles and their capabilities in a Splunk environment? in Splunk Search

How to write a search to list roles and their capabilities in a Splunk environment?

srikanth1213 — Fri, 14 Oct 2016 18:17:59 GMT

Hello Guys,

Can someone help me with a search to list the roles and their capabilities in a Splunk environment?

Re: How to write a search to list roles and their capabilities in a Splunk environment?

horsefez — Fri, 14 Oct 2016 18:25:29 GMT

Hello,

here is a solution for the roles and users from always awesome user "somesoni2"
https://answers.splunk.com/answers/127844/how-can-i-generate-a-list-of-users-and-assigned-roles.html

and with the roles and capabilities thing you are not far off searching with this command:

 | rest /services/authorization/roles

used those myself in the past to get reports about that

Re: How to write a search to list roles and their capabilities in a Splunk environment?

jkat54 — Fri, 14 Oct 2016 20:11:29 GMT

This is an awesome app for that:

https://splunkbase.splunk.com/app/1866/

Re: How to write a search to list roles and their capabilities in a Splunk environment?

srikanth1213 — Mon, 17 Oct 2016 16:47:56 GMT

@ jkat54 : It would not let me download the app.. can you please check...

Re: How to write a search to list roles and their capabilities in a Splunk environment?

bandit — Thu, 25 Jul 2019 01:35:41 GMT

Dashboard which will list and compare role capabilities. (XML code below)

<form hideFilters="true">
  <label>Role Capabilities</label>
  <description>(select roles and capabilities to compare)</description>
  <fieldset submitButton="false">
    <input type="checkbox" token="role" searchWhenChanged="true">
      <label>Roles</label>
      <fieldForLabel>role</fieldForLabel>
      <fieldForValue>role</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local 
 | table roles
 | mvexpand roles
 | dedup roles
 | table roles
 | sort roles
 | rename roles as role</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>role="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <choice value="*">All</choice>
      <default>admin,power,sc_admin,user</default>
    </input>
    <input type="dropdown" token="capability_group" searchWhenChanged="true">
      <label>Capability Group</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>capability_group="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>capability_group</fieldForLabel>
      <fieldForValue>capability_group</fieldForValue>
      <search>
        <query>| rest /services/authorization/roles splunk_server=local 
| table capabilities 
| mvexpand capabilities 
| dedup capabilities 
| sort capabilities 
| rex field=capabilities "^(?<capability_group>[^_]+)" 
| table capability_group 
| dedup capability_group</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="capabilities" searchWhenChanged="true">
      <label>Capabilities</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>capabilities="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>capabilities</fieldForLabel>
      <fieldForValue>capabilities</fieldForValue>
      <search>
        <query>| rest /services/authorization/roles splunk_server=local 
| table capabilities 
| mvexpand capabilities 
| dedup capabilities 
| sort capabilities</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Capabilities by Role</title>
      <table>
        <search>
          <query>| rest /services/authorization/roles splunk_server=local 
| table capabilities 
| dedup capabilities 
| sort capabilities 
| eval role="Capabilities List" 
| table capabilities 
| stats count by role capabilities 
| appendcols 
    [| rest /services/authorization/roles 
    | table title capabilities 
    | dedup title 
    | rename title as role 
    | table role capabilities 
    | stats count by role capabilities] 
| eval _time=now() 
| search $role$ 
| stats count(eval(capabilities="accelerate_datamodel")) as accelerate_datamodel count(eval(capabilities="accelerate_search")) as accelerate_search count(eval(capabilities="admin_all_objects")) as admin_all_objects count(eval(capabilities="change_authentication")) as change_authentication count(eval(capabilities="change_own_password")) as change_own_password count(eval(capabilities="delete_by_keyword")) as delete_by_keyword count(eval(capabilities="dispatch_rest_to_indexers")) as dispatch_rest_to_indexers count(eval(capabilities="dmc_deploy_apps")) as dmc_deploy_apps count(eval(capabilities="dmc_deploy_token_http")) as dmc_deploy_token_http count(eval(capabilities="edit_cmd")) as edit_cmd count(eval(capabilities="edit_deployment_client")) as edit_deployment_client count(eval(capabilities="edit_deployment_server")) as edit_deployment_server count(eval(capabilities="edit_dist_peer")) as edit_dist_peer count(eval(capabilities="edit_encryption_key_provider")) as edit_encryption_key_provider count(eval(capabilities="edit_forwarders")) as edit_forwarders count(eval(capabilities="edit_httpauths")) as edit_httpauths count(eval(capabilities="edit_indexer_cluster")) as edit_indexer_cluster count(eval(capabilities="edit_indexerdiscovery")) as edit_indexerdiscovery count(eval(capabilities="edit_input_defaults")) as edit_input_defaults count(eval(capabilities="edit_local_apps")) as edit_local_apps count(eval(capabilities="edit_monitor")) as edit_monitor count(eval(capabilities="edit_restmap")) as edit_restmap count(eval(capabilities="edit_roles")) as edit_roles count(eval(capabilities="edit_roles_grantable")) as edit_roles_grantable count(eval(capabilities="edit_scripted")) as edit_scripted count(eval(capabilities="edit_search_head_clustering")) as edit_search_head_clustering count(eval(capabilities="edit_search_schedule_priority")) as edit_search_schedule_priority count(eval(capabilities="edit_search_schedule_window")) as edit_search_schedule_window count(eval(capabilities="edit_search_scheduler")) as edit_search_scheduler count(eval(capabilities="edit_search_server")) as edit_search_server count(eval(capabilities="edit_server")) as edit_server count(eval(capabilities="edit_server_crl")) as edit_server_crl count(eval(capabilities="edit_sourcetypes")) as edit_sourcetypes count(eval(capabilities="edit_splunktcp")) as edit_splunktcp count(eval(capabilities="edit_splunktcp_ssl")) as edit_splunktcp_ssl count(eval(capabilities="edit_splunktcp_token")) as edit_splunktcp_token count(eval(capabilities="edit_statsd_transforms")) as edit_statsd_transforms count(eval(capabilities="edit_tcp")) as edit_tcp count(eval(capabilities="edit_tcp_stream")) as edit_tcp_stream count(eval(capabilities="edit_telemetry_settings")) as edit_telemetry_settings count(eval(capabilities="edit_token_http")) as edit_token_http count(eval(capabilities="edit_udp")) as edit_udp count(eval(capabilities="edit_upload_and_index")) as edit_upload_and_index count(eval(capabilities="edit_user")) as edit_user count(eval(capabilities="edit_view_html")) as edit_view_html count(eval(capabilities="edit_web_settings")) as edit_web_settings count(eval(capabilities="embed_report")) as embed_report count(eval(capabilities="export_results_is_visible")) as export_results_is_visible count(eval(capabilities="get_diag")) as get_diag count(eval(capabilities="get_metadata")) as get_metadata count(eval(capabilities="get_typeahead")) as get_typeahead count(eval(capabilities="indexes_edit")) as indexes_edit count(eval(capabilities="indexes_list_all")) as indexes_list_all count(eval(capabilities="input_file")) as input_file count(eval(capabilities="license_edit")) as license_edit count(eval(capabilities="license_tab")) as license_tab count(eval(capabilities="license_view_warnings")) as license_view_warnings count(eval(capabilities="list_deployment_client")) as list_deployment_client count(eval(capabilities="list_deployment_server")) as list_deployment_server count(eval(capabilities="list_forwarders")) as list_forwarders count(eval(capabilities="list_httpauths")) as list_httpauths count(eval(capabilities="list_indexer_cluster")) as list_indexer_cluster count(eval(capabilities="list_indexerdiscovery")) as list_indexerdiscovery count(eval(capabilities="list_inputs")) as list_inputs count(eval(capabilities="list_introspection")) as list_introspection count(eval(capabilities="list_metrics_catalog")) as list_metrics_catalog count(eval(capabilities="list_search_head_clustering")) as list_search_head_clustering count(eval(capabilities="list_search_scheduler")) as list_search_scheduler count(eval(capabilities="list_settings")) as list_settings count(eval(capabilities="list_storage_passwords")) as list_storage_passwords count(eval(capabilities="output_file")) as output_file count(eval(capabilities="pattern_detect")) as pattern_detect count(eval(capabilities="refresh_application_licenses")) as refresh_application_licenses count(eval(capabilities="request_remote_tok")) as request_remote_tok count(eval(capabilities="rest_apps_management")) as rest_apps_management count(eval(capabilities="rest_apps_view")) as rest_apps_view count(eval(capabilities="rest_properties_get")) as rest_properties_get count(eval(capabilities="rest_properties_set")) as rest_properties_set count(eval(capabilities="restart_reason")) as restart_reason count(eval(capabilities="restart_splunkd")) as restart_splunkd count(eval(capabilities="rtsearch")) as rtsearch count(eval(capabilities="run_debug_commands")) as run_debug_commands count(eval(capabilities="schedule_rtsearch")) as schedule_rtsearch count(eval(capabilities="schedule_search")) as schedule_search count(eval(capabilities="search")) as search count(eval(capabilities="search_process_config_refresh")) as search_process_config_refresh count(eval(capabilities="web_debug")) as web_debug by role 
| transpose 1000 column_name=capabilities header_field=role 
| rex field=capabilities "^(?<capability_group>[^_]+)" 
| search $capabilities$ $capability_group$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">false</option>
        <format type="color" field="admin">
          <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
        </format>
        <format type="color" field="apps">
          <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
        </format>
        <format type="color" field="capability_group">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="power">
          <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
        </format>
        <format type="color" field="sc_admin">
          <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
        </format>
        <format type="color" field="user">
          <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
        </format>
        <format type="number" field="internal_automation_role">
          <option name="precision">0</option>
        </format>
        <format type="color" field="internal_automation_role">
          <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</form>

Re: How to write a search to list roles and their capabilities in a Splunk environment?

99eaglez — Thu, 15 May 2025 14:31:51 GMT

Update to the included classic dashboard code taking care of new framework and handling "capability_group" extraction in lines 42 and 91 related to unescaped HTML tags.

<form version="1.1" theme="light"> <label>Native Role Capabilities (not inherited)</label> <description>(select roles and capabilities to compare)</description> <fieldset submitButton="false"> <input type="checkbox" token="role" searchWhenChanged="true"> <label>Roles</label> <fieldForLabel>role</fieldForLabel> <fieldForValue>role</fieldForValue> <search> <query>| rest /services/authentication/users splunk_server=local | table roles | mvexpand roles | dedup roles | table roles | sort roles | rename roles as role</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>role="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <choice value="*">All</choice> <default>admin,power,sc_admin,user</default> </input> <input type="dropdown" token="capability_group" searchWhenChanged="true"> <label>Capability Group</label> <choice value="*">All</choice> <default>*</default> <prefix>capability_group="</prefix> <suffix>"</suffix> <fieldForLabel>capability_group</fieldForLabel> <fieldForValue>capability_group</fieldForValue> <search> <query>| rest /services/authorization/roles splunk_server=local | table capabilities | mvexpand capabilities | dedup capabilities | sort capabilities | rex field=capabilities "^(?<capability_group>[^_]+)" | table capability_group | dedup capability_group</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="capabilities" searchWhenChanged="true"> <label>Capabilities</label> <choice value="*">All</choice> <default>*</default> <prefix>capabilities="</prefix> <suffix>"</suffix> <fieldForLabel>capabilities</fieldForLabel> <fieldForValue>capabilities</fieldForValue> <search> <query>| rest /services/authorization/roles splunk_server=local | table capabilities | mvexpand capabilities | dedup capabilities | sort capabilities</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> </fieldset> <row> <panel> <title>Capabilities by Role</title> <table> <search> <query>| rest /services/authorization/roles splunk_server=local | table capabilities | dedup capabilities | sort capabilities | eval role="Capabilities List" | table capabilities | stats count by role capabilities | appendcols [| rest /services/authorization/roles | table title capabilities | dedup title | rename title as role | table role capabilities | stats count by role capabilities] | eval _time=now() | search $role$ | stats count(eval(capabilities="accelerate_datamodel")) as accelerate_datamodel count(eval(capabilities="accelerate_search")) as accelerate_search count(eval(capabilities="admin_all_objects")) as admin_all_objects count(eval(capabilities="change_authentication")) as change_authentication count(eval(capabilities="change_own_password")) as change_own_password count(eval(capabilities="delete_by_keyword")) as delete_by_keyword count(eval(capabilities="dispatch_rest_to_indexers")) as dispatch_rest_to_indexers count(eval(capabilities="dmc_deploy_apps")) as dmc_deploy_apps count(eval(capabilities="dmc_deploy_token_http")) as dmc_deploy_token_http count(eval(capabilities="edit_cmd")) as edit_cmd count(eval(capabilities="edit_deployment_client")) as edit_deployment_client count(eval(capabilities="edit_deployment_server")) as edit_deployment_server count(eval(capabilities="edit_dist_peer")) as edit_dist_peer count(eval(capabilities="edit_encryption_key_provider")) as edit_encryption_key_provider count(eval(capabilities="edit_forwarders")) as edit_forwarders count(eval(capabilities="edit_httpauths")) as edit_httpauths count(eval(capabilities="edit_indexer_cluster")) as edit_indexer_cluster count(eval(capabilities="edit_indexerdiscovery")) as edit_indexerdiscovery count(eval(capabilities="edit_input_defaults")) as edit_input_defaults count(eval(capabilities="edit_local_apps")) as edit_local_apps count(eval(capabilities="edit_monitor")) as edit_monitor count(eval(capabilities="edit_restmap")) as edit_restmap count(eval(capabilities="edit_roles")) as edit_roles count(eval(capabilities="edit_roles_grantable")) as edit_roles_grantable count(eval(capabilities="edit_scripted")) as edit_scripted count(eval(capabilities="edit_search_head_clustering")) as edit_search_head_clustering count(eval(capabilities="edit_search_schedule_priority")) as edit_search_schedule_priority count(eval(capabilities="edit_search_schedule_window")) as edit_search_schedule_window count(eval(capabilities="edit_search_scheduler")) as edit_search_scheduler count(eval(capabilities="edit_search_server")) as edit_search_server count(eval(capabilities="edit_server")) as edit_server count(eval(capabilities="edit_server_crl")) as edit_server_crl count(eval(capabilities="edit_sourcetypes")) as edit_sourcetypes count(eval(capabilities="edit_splunktcp")) as edit_splunktcp count(eval(capabilities="edit_splunktcp_ssl")) as edit_splunktcp_ssl count(eval(capabilities="edit_splunktcp_token")) as edit_splunktcp_token count(eval(capabilities="edit_statsd_transforms")) as edit_statsd_transforms count(eval(capabilities="edit_tcp")) as edit_tcp count(eval(capabilities="edit_tcp_stream")) as edit_tcp_stream count(eval(capabilities="edit_telemetry_settings")) as edit_telemetry_settings count(eval(capabilities="edit_token_http")) as edit_token_http count(eval(capabilities="edit_udp")) as edit_udp count(eval(capabilities="edit_upload_and_index")) as edit_upload_and_index count(eval(capabilities="edit_user")) as edit_user count(eval(capabilities="edit_view_html")) as edit_view_html count(eval(capabilities="edit_web_settings")) as edit_web_settings count(eval(capabilities="embed_report")) as embed_report count(eval(capabilities="export_results_is_visible")) as export_results_is_visible count(eval(capabilities="get_diag")) as get_diag count(eval(capabilities="get_metadata")) as get_metadata count(eval(capabilities="get_typeahead")) as get_typeahead count(eval(capabilities="indexes_edit")) as indexes_edit count(eval(capabilities="indexes_list_all")) as indexes_list_all count(eval(capabilities="input_file")) as input_file count(eval(capabilities="license_edit")) as license_edit count(eval(capabilities="license_tab")) as license_tab count(eval(capabilities="license_view_warnings")) as license_view_warnings count(eval(capabilities="list_deployment_client")) as list_deployment_client count(eval(capabilities="list_deployment_server")) as list_deployment_server count(eval(capabilities="list_forwarders")) as list_forwarders count(eval(capabilities="list_httpauths")) as list_httpauths count(eval(capabilities="list_indexer_cluster")) as list_indexer_cluster count(eval(capabilities="list_indexerdiscovery")) as list_indexerdiscovery count(eval(capabilities="list_inputs")) as list_inputs count(eval(capabilities="list_introspection")) as list_introspection count(eval(capabilities="list_metrics_catalog")) as list_metrics_catalog count(eval(capabilities="list_search_head_clustering")) as list_search_head_clustering count(eval(capabilities="list_search_scheduler")) as list_search_scheduler count(eval(capabilities="list_settings")) as list_settings count(eval(capabilities="list_storage_passwords")) as list_storage_passwords count(eval(capabilities="output_file")) as output_file count(eval(capabilities="pattern_detect")) as pattern_detect count(eval(capabilities="refresh_application_licenses")) as refresh_application_licenses count(eval(capabilities="request_remote_tok")) as request_remote_tok count(eval(capabilities="rest_apps_management")) as rest_apps_management count(eval(capabilities="rest_apps_view")) as rest_apps_view count(eval(capabilities="rest_properties_get")) as rest_properties_get count(eval(capabilities="rest_properties_set")) as rest_properties_set count(eval(capabilities="restart_reason")) as restart_reason count(eval(capabilities="restart_splunkd")) as restart_splunkd count(eval(capabilities="rtsearch")) as rtsearch count(eval(capabilities="run_debug_commands")) as run_debug_commands count(eval(capabilities="schedule_rtsearch")) as schedule_rtsearch count(eval(capabilities="schedule_search")) as schedule_search count(eval(capabilities="search")) as search count(eval(capabilities="search_process_config_refresh")) as search_process_config_refresh count(eval(capabilities="web_debug")) as web_debug by role | transpose 1000 column_name=capabilities header_field=role | rex field=capabilities "^(?<capability_group>[^_]+)" | search $capabilities$ $capability_group$</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">true</option> <option name="totalsRow">false</option> <option name="wrap">false</option> <format type="color" field="admin"> <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette> </format> <format type="color" field="apps"> <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette> </format> <format type="color" field="capability_group"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> <format type="color" field="power"> <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette> </format> <format type="color" field="sc_admin"> <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette> </format> <format type="color" field="user"> <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette> </format> <format type="number" field="internal_automation_role"> <option name="precision">0</option> </format> <format type="color" field="internal_automation_role"> <colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette> </format> </table> </panel> </row> </form>