Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can we produce a list of roles and their resources?

danielbb
Motivator
‎12-26-2019 06:47 AM

Is there a way to produce a list of roles in the system and their associated resources, such as User-level concurrent real-time search job limit, Role-level concurrent search job limit, etc.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-26-2019 08:25 AM

@danielbb

You can access role, capabilities and resource associated particular role using | rest search command. Please try below search.

1) List of roles with capabilities

| rest /services/authorization/roles | table  title capabilities

2) List of user with roles 

|rest /services/authentication/users splunk_server=local  |fields title roles realname|rename title as userName|rename realname as Name

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-26-2019 11:53 AM

We had to give full admin access in the past because they weren't able to discern what permissions were needed for some tools (ES, UBA, etc.). Later we decided that we'd like to audit and figure out who is able to do what and slowly remove those who don't need it.
Several roles import the admin role and they have several different SH clusters. Just trying to find an easy way to build an action list was more complicated than we expected. Here is what we ended up getting, which should give you a good head-start:

| rest/services/authentication/users
| dedup id
| rename title AS username roles AS role_direct
| mvexpand role_direct
| eval user=username . " = " . realname
| fields user role_direct
| appendpipe [
| rest/services/authorization/roles
| dedup id
| rename title AS role_direct
| eval role_add = role_direct
| eval combined_roles=mvappend(role_add,imported_roles)
| mvexpand combined_roles 
| fields role_direct, combined_roles]
| stats list(*) AS * BY role_direct
| mvexpand combined_roles
| rename combined_roles AS combined_role
| eval formatted_role=if(combined_role = role_direct,combined_role." (direct assignment)",combined_role." (inherited through ".role_direct.")")
| appendpipe [
| rest /services/authorization/roles 
| dedup id
| rename title AS combined_role
| fields combined_role capabilities]
| stats list(*) AS * BY combined_role
| mvexpand formatted_role
| mvexpand capabilities
| mvexpand user
| rename capabilities AS capability
| rename formatted_role AS "role (inheritance)"
| table user "role (inheritance)" capability
| search capability="edit_user"
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-26-2019 08:25 AM

@danielbb

You can access role, capabilities and resource associated particular role using | rest search command. Please try below search.

1) List of roles with capabilities

| rest /services/authorization/roles | table  title capabilities

2) List of user with roles 

|rest /services/authentication/users splunk_server=local  |fields title roles realname|rename title as userName|rename realname as Name
Reply
Solved! Jump to solution

danielbb
Motivator
‎12-26-2019 09:27 AM

Great @kamlesh_vaghela - | rest /services/authorization/roles | table * shows them all...

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-27-2019 05:46 AM

Awesome @danielbb , Can you please accept the answer to close this question?

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...