I have users in multiple roles. Some role have higher permission and with access to a list of indexes. How can I view the effective permission for this user. Will user have the least privilege role or the highest privilege role.
You can query those roles by rest. There should be several answers already present on community. If you couldn’t found suitable I could present our dashboard later on, when I have my laptop on my hand. All roles have merged together and in the end result user will given the highest capability and access to indexes. r. Ismo
Here is a one part of out dashboard which shows allowed indexes.
<title>Indexes what the user is allowed to search. Also which group grants which index</title>
<query>| rest /services/authentication/users splunk_server=<local or list of SH's which are peer for your MC node>
| search title!=admin | table title roles | rename title as user | rename roles as title | search user=$username$ | mvexpand title
| join type=left max=0 title [| rest /services/authorization/roles splunk_server=<local or selction of your MC's peers>| table title srchInd* | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) | table title indexes | mvexpand indexes | dedup title indexes | eval indexes_orig=indexes | join indexes max=0 type=left [| rest /services/data/indexes | stats count by title | table title| eval indexes=if(match(title,"^_"),"_*","*") | rename title as indexes_new]| eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig) | table title indexes] |rename user as Username title as Group indexes as Index
| dedup Index</query>
I think that we have found (at least) the base idea from previous answers, couldn't recall who is the real originator?