I have users in multiple roles. Some role have higher permission and with access to a list of indexes. How can I view the effective permission for this user. Will user have the least privilege role or the highest privilege role.
Yes I got some rest query. Just be curious is the dashboard you mentioned here is a custom developed or any app available?
Here is a one part of out dashboard which shows allowed indexes.
<panel>
<title>Indexes what the user is allowed to search. Also which group grants which index</title>
<table>
<search>
<query>| rest /services/authentication/users splunk_server=<local or list of SH's which are peer for your MC node>
| search title!=admin | table title roles | rename title as user | rename roles as title | search user=$username$ | mvexpand title
| join type=left max=0 title [| rest /services/authorization/roles splunk_server=<local or selction of your MC's peers>| table title srchInd* | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) | table title indexes | mvexpand indexes | dedup title indexes | eval indexes_orig=indexes | join indexes max=0 type=left [| rest /services/data/indexes | stats count by title | table title| eval indexes=if(match(title,"^_"),"_*","*") | rename title as indexes_new]| eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig) | table title indexes] |rename user as Username title as Group indexes as Index
| dedup Index</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">15</option>
<option name="drilldown">none</option>
<option name="link.visible">0</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
I think that we have found (at least) the base idea from previous answers, couldn't recall who is the real originator?
r. Ismo