Security

Can we produce a list of roles and their resources?

danielbb
Motivator

Is there a way to produce a list of roles in the system and their associated resources, such as User-level concurrent real-time search job limit, Role-level concurrent search job limit, etc.

Tags (2)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@danielbb

You can access role, capabilities and resource associated particular role using | rest search command. Please try below search.

1) List of roles with capabilities

| rest /services/authorization/roles | table  title capabilities

2) List of user with roles

|rest /services/authentication/users splunk_server=local  |fields title roles realname|rename title as userName|rename realname as Name

View solution in original post

woodcock
Esteemed Legend

We had to give full admin access in the past because they weren't able to discern what permissions were needed for some tools (ES, UBA, etc.). Later we decided that we'd like to audit and figure out who is able to do what and slowly remove those who don't need it.
Several roles import the admin role and they have several different SH clusters. Just trying to find an easy way to build an action list was more complicated than we expected. Here is what we ended up getting, which should give you a good head-start:

| rest/services/authentication/users
| dedup id
| rename title AS username roles AS role_direct
| mvexpand role_direct
| eval user=username . " = " . realname
| fields user role_direct
| appendpipe [
| rest/services/authorization/roles
| dedup id
| rename title AS role_direct
| eval role_add = role_direct
| eval combined_roles=mvappend(role_add,imported_roles)
| mvexpand combined_roles 
| fields role_direct, combined_roles]
| stats list(*) AS * BY role_direct
| mvexpand combined_roles
| rename combined_roles AS combined_role
| eval formatted_role=if(combined_role = role_direct,combined_role." (direct assignment)",combined_role." (inherited through ".role_direct.")")
| appendpipe [
| rest /services/authorization/roles 
| dedup id
| rename title AS combined_role
| fields combined_role capabilities]
| stats list(*) AS * BY combined_role
| mvexpand formatted_role
| mvexpand capabilities
| mvexpand user
| rename capabilities AS capability
| rename formatted_role AS "role (inheritance)"
| table user "role (inheritance)" capability
| search capability="edit_user"

kamlesh_vaghela
SplunkTrust
SplunkTrust

@danielbb

You can access role, capabilities and resource associated particular role using | rest search command. Please try below search.

1) List of roles with capabilities

| rest /services/authorization/roles | table  title capabilities

2) List of user with roles

|rest /services/authentication/users splunk_server=local  |fields title roles realname|rename title as userName|rename realname as Name

danielbb
Motivator

Great @kamlesh_vaghela - | rest /services/authorization/roles | table * shows them all...

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Awesome @danielbb , Can you please accept the answer to close this question?

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...