All,
I need to create a dashboard and alert clearly saying who has "candelete" rights assigned to them and an alert to go with it. ANy idea how I can do that?
I believe, you need to look for any roles with the capability delete_by_keyword, which the role can_delete has by default, but can be added to any role.
The following search will show any role with that capability:
| rest /servicesNS/nobody/system/admin/roles splunk_server=local
| rename title as roles
| eval caps=mvjoin(capabilities, " ")
| eval caps=mvjoin(imported_capabilities, " ")
| table roles caps icaps
| stats values(caps) as caps, values(icaps) as icaps by roles | search caps=*delete_by_keyword*
@daniel33, can you try the following authentication/users REST API and test?
| rest splunk_server=local /services/authentication/users
| table title roles
| search roles="can_delete"