You can access role, capabilities and resource associated particular role using
| rest search command. Please try below search.
1) List of roles with capabilities
| rest /services/authorization/roles | table title capabilities
2) List of user with roles
|rest /services/authentication/users splunk_server=local |fields title roles realname|rename title as userName|rename realname as Name
We had to give full admin access in the past because they weren't able to discern what permissions were needed for some tools (ES, UBA, etc.). Later we decided that we'd like to audit and figure out who is able to do what and slowly remove those who don't need it.
Several roles import the admin role and they have several different SH clusters. Just trying to find an easy way to build an action list was more complicated than we expected. Here is what we ended up getting, which should give you a good head-start:
| rest/services/authentication/users | dedup id | rename title AS username roles AS role_direct | mvexpand role_direct | eval user=username . " = " . realname | fields user role_direct | appendpipe [ | rest/services/authorization/roles | dedup id | rename title AS role_direct | eval role_add = role_direct | eval combined_roles=mvappend(role_add,imported_roles) | mvexpand combined_roles | fields role_direct, combined_roles] | stats list(*) AS * BY role_direct | mvexpand combined_roles | rename combined_roles AS combined_role | eval formatted_role=if(combined_role = role_direct,combined_role." (direct assignment)",combined_role." (inherited through ".role_direct.")") | appendpipe [ | rest /services/authorization/roles | dedup id | rename title AS combined_role | fields combined_role capabilities] | stats list(*) AS * BY combined_role | mvexpand formatted_role | mvexpand capabilities | mvexpand user | rename capabilities AS capability | rename formatted_role AS "role (inheritance)" | table user "role (inheritance)" capability | search capability="edit_user"