Security
Highlighted

Can we produce a list of roles and their resources?

Motivator

Is there a way to produce a list of roles in the system and their associated resources, such as User-level concurrent real-time search job limit, Role-level concurrent search job limit, etc.

Tags (2)
0 Karma
Highlighted

Re: Can we produce a list of roles and their resources?

SplunkTrust
SplunkTrust

@danielbb

You can access role, capabilities and resource associated particular role using | rest search command. Please try below search.

1) List of roles with capabilities

| rest /services/authorization/roles | table  title capabilities

2) List of user with roles

|rest /services/authentication/users splunk_server=local  |fields title roles realname|rename title as userName|rename realname as Name

View solution in original post

Highlighted

Re: Can we produce a list of roles and their resources?

Motivator

Great @kamlesh_vaghela - | rest /services/authorization/roles | table * shows them all...

0 Karma
Highlighted

Re: Can we produce a list of roles and their resources?

SplunkTrust
SplunkTrust

Awesome @danielbb , Can you please accept the answer to close this question?

0 Karma
Highlighted

Re: Can we produce a list of roles and their resources?

Esteemed Legend

We had to give full admin access in the past because they weren't able to discern what permissions were needed for some tools (ES, UBA, etc.). Later we decided that we'd like to audit and figure out who is able to do what and slowly remove those who don't need it.
Several roles import the admin role and they have several different SH clusters. Just trying to find an easy way to build an action list was more complicated than we expected. Here is what we ended up getting, which should give you a good head-start:

| rest/services/authentication/users
| dedup id
| rename title AS username roles AS role_direct
| mvexpand role_direct
| eval user=username . " = " . realname
| fields user role_direct
| appendpipe [
| rest/services/authorization/roles
| dedup id
| rename title AS role_direct
| eval role_add = role_direct
| eval combined_roles=mvappend(role_add,imported_roles)
| mvexpand combined_roles 
| fields role_direct, combined_roles]
| stats list(*) AS * BY role_direct
| mvexpand combined_roles
| rename combined_roles AS combined_role
| eval formatted_role=if(combined_role = role_direct,combined_role." (direct assignment)",combined_role." (inherited through ".role_direct.")")
| appendpipe [
| rest /services/authorization/roles 
| dedup id
| rename title AS combined_role
| fields combined_role capabilities]
| stats list(*) AS * BY combined_role
| mvexpand formatted_role
| mvexpand capabilities
| mvexpand user
| rename capabilities AS capability
| rename formatted_role AS "role (inheritance)"
| table user "role (inheritance)" capability
| search capability="edit_user"