Security

Can we produce a list of roles and their resources?

danielbb
Motivator

Is there a way to produce a list of roles in the system and their associated resources, such as User-level concurrent real-time search job limit, Role-level concurrent search job limit, etc.

Tags (2)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@danielbb

You can access role, capabilities and resource associated particular role using | rest search command. Please try below search.

1) List of roles with capabilities

| rest /services/authorization/roles | table  title capabilities

2) List of user with roles

|rest /services/authentication/users splunk_server=local  |fields title roles realname|rename title as userName|rename realname as Name

View solution in original post

woodcock
Esteemed Legend

We had to give full admin access in the past because they weren't able to discern what permissions were needed for some tools (ES, UBA, etc.). Later we decided that we'd like to audit and figure out who is able to do what and slowly remove those who don't need it.
Several roles import the admin role and they have several different SH clusters. Just trying to find an easy way to build an action list was more complicated than we expected. Here is what we ended up getting, which should give you a good head-start:

| rest/services/authentication/users
| dedup id
| rename title AS username roles AS role_direct
| mvexpand role_direct
| eval user=username . " = " . realname
| fields user role_direct
| appendpipe [
| rest/services/authorization/roles
| dedup id
| rename title AS role_direct
| eval role_add = role_direct
| eval combined_roles=mvappend(role_add,imported_roles)
| mvexpand combined_roles 
| fields role_direct, combined_roles]
| stats list(*) AS * BY role_direct
| mvexpand combined_roles
| rename combined_roles AS combined_role
| eval formatted_role=if(combined_role = role_direct,combined_role." (direct assignment)",combined_role." (inherited through ".role_direct.")")
| appendpipe [
| rest /services/authorization/roles 
| dedup id
| rename title AS combined_role
| fields combined_role capabilities]
| stats list(*) AS * BY combined_role
| mvexpand formatted_role
| mvexpand capabilities
| mvexpand user
| rename capabilities AS capability
| rename formatted_role AS "role (inheritance)"
| table user "role (inheritance)" capability
| search capability="edit_user"

kamlesh_vaghela
SplunkTrust
SplunkTrust

@danielbb

You can access role, capabilities and resource associated particular role using | rest search command. Please try below search.

1) List of roles with capabilities

| rest /services/authorization/roles | table  title capabilities

2) List of user with roles

|rest /services/authentication/users splunk_server=local  |fields title roles realname|rename title as userName|rename realname as Name

danielbb
Motivator

Great @kamlesh_vaghela - | rest /services/authorization/roles | table * shows them all...

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Awesome @danielbb , Can you please accept the answer to close this question?

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...