I am doing some refactoring of authentication.conf and would like to be able to diff the users and their mapped roles before and after the refactoring. Is there a way to get a list of users and roles?
If it makes a difference I am using a LDAP strategy.
This should get you list of users and their corresponding roles. Need admin privileges to get full result.
|rest /services/authentication/users splunk_server=local
|fields title roles realname|rename title as userName|rename realname as Name
Dashboard of Splunk Users showing roles/capabilities, and index access.
Dashboard Code:
<form>
<label>Splunk User List</label>
<fieldset submitButton="false">
<input type="dropdown" token="user" searchWhenChanged="true">
<label>User</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>user</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>| rest /services/authentication/users splunk_server=local
| table defaultApp id realname email roles type splunk_server capabilities
| replace "*%40*" with "*@*" in id
| rex field=id "/users/(?<user>.+)$"
| table user
| sort user</query>
</search>
</input>
<input type="text" token="user_pattern" searchWhenChanged="true">
<label>User Pattern</label>
<default>*</default>
</input>
<input type="text" token="user_list" searchWhenChanged="true">
<label>User List (comma seperated)</label>
<default>*</default>
</input>
<input type="dropdown" token="real_name" searchWhenChanged="true">
<label>Real Name</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>realname</fieldForLabel>
<fieldForValue>realname</fieldForValue>
<search>
<query>| rest /services/authentication/users splunk_server=local
| dedup realname
| table realname
| sort realname</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="text" token="real_name_pattern" searchWhenChanged="true">
<label>Real Name Pattern</label>
<default>*</default>
</input>
<input type="dropdown" token="email" searchWhenChanged="true">
<label>Email</label>
<choice value="*">All</choice>
<fieldForLabel>email</fieldForLabel>
<fieldForValue>email</fieldForValue>
<default>*</default>
<search>
<query>| rest /services/authentication/users splunk_server=local
| dedup email
| table email
| sort email</query>
</search>
</input>
<input type="text" token="email_pattern" searchWhenChanged="true">
<label>Email Pattern</label>
<default>*</default>
</input>
<input type="dropdown" token="type" searchWhenChanged="true">
<label>Type</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>type</fieldForLabel>
<fieldForValue>type</fieldForValue>
<search>
<query>| rest /services/authentication/users splunk_server=local
| dedup type
| table type
| sort type</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="role" searchWhenChanged="true">
<label>Role</label>
<choice value="*">All</choice>
<fieldForLabel>roles</fieldForLabel>
<fieldForValue>roles</fieldForValue>
<search>
<query>| rest /services/authentication/users splunk_server=local
| table roles
| mvexpand roles
| dedup roles
| table roles
| sort roles</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<default>*</default>
</input>
<input type="text" token="role_pattern" searchWhenChanged="true">
<label>Role Pattern</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<title>User Accounts</title>
<table>
<title>(click row for specific user detail)</title>
<search>
<query>| rest /services/authentication/users splunk_server=local
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$"
| table defaultApp id realname email roles type splunk_server capabilities
| replace "*%40*" with "*@*" in id
| rex field=id "/users/(?<user>.+)$"
| table user realname email type roles splunk_server
| search user="$user$" user="*$user_pattern$*" user IN ($user_list$)
| sort -type user</query>
<earliest>0</earliest>
<latest></latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="action">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="host">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="type">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="roles">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="splunk_server">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<drilldown>
<unset token="user"></unset>
<set token="user">$click.value$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Role Capabilities</title>
<table>
<search>
<query>| rest /services/authentication/users splunk_server=local
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$"
| table defaultApp id realname email roles type splunk_server
| replace "*%40*" with "*@*" in id
| rex field=id "/users/(?<user>.+)$"
| table user realname email type roles splunk_server
| search user="$user$" user="***" user IN (*)
| rename roles as role
| table role
| mvexpand role
| dedup role
| join role
[| rest /services/authorization/roles
| table title capabilities imported_roles imported_capabilities
| dedup title
| rename title as role
| table role capabilities imported_roles imported_capabilities ]
| table role capabilities imported_roles imported_capabilities
| sort role
| transpose 1000 column_name=role header_field=role</query>
<earliest>0</earliest>
<latest></latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="action">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="host">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="type">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="roles">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="splunk_server">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
</table>
</panel>
</row>
<row>
<panel>
<title>Role Index Access</title>
<table>
<search>
<query>| rest /services/authentication/users splunk_server=local
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$"
| table defaultApp id realname email roles type splunk_server
| replace "*%40*" with "*@*" in id
| rex field=id "/users/(?<user>.+)$"
| table user realname email type roles splunk_server
| search user="$user$" user="***" user IN (*)
| rename roles as role
| table role
| mvexpand role
| dedup role
| join role
[| rest /services/authorization/roles
| table title srchIndexesAllowed imported_roles imported_srchIndexesAllowed
| dedup title
| rename title as role
| table role srchIndexesAllowed imported_roles imported_srchIndexesAllowed ]
| table role srchIndexesAllowed imported_roles imported_srchIndexesAllowed
| sort role
| transpose 1000 column_name=role header_field=role</query>
<earliest>0</earliest>
<latest></latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="action">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="host">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="type">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="roles">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="splunk_server">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
</table>
</panel>
</row>
</form>
Here is an updated version. Less use of not need table command, use of base search. Dropdown with counters++
<form version="1.1" theme="dark">
<label>List of Users Capabilities</label>
<!--
1.1 based on https://community.splunk.com/t5/Security/How-can-I-generate-a-list-of-users-and-assigned-roles/m-p/194811
-->
<search id="base_search">
<query>
| rest /services/authentication/users splunk_server=local
| replace "*%40*" with "*@*" in id
| rex field=id "/users/(?<user>.+)$"
| rename roles as role
| fields user defaultApp id realname email role type splunk_server capabilities
| search
user="$user$"
type="$type$"
role="$role$"
</query>
</search>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="user">
<label>User</label>
<search base="base_search">
<query>
| eval data=user
| stats count by data realname
| eval info=data." (".realname.")"
| sort data
</query>
</search>
<choice value="*">Any</choice>
<fieldForLabel>info</fieldForLabel>
<fieldForValue>data</fieldForValue>
<default>*</default>
</input>
<input type="dropdown" token="type">
<label>Type</label>
<search base="base_search">
<query>
| eval data=type
| stats count by data
| eval info=data." (".count.")"
| sort -count
</query>
</search>
<choice value="*">Any</choice>
<fieldForLabel>info</fieldForLabel>
<fieldForValue>data</fieldForValue>
<default>*</default>
</input>
<input type="dropdown" token="role">
<label>Role</label>
<search base="base_search">
<query>
| eval data=role
| stats count by data
| eval info=data." (".count.")"
| sort -count
</query>
</search>
<choice value="*">Any</choice>
<fieldForLabel>info</fieldForLabel>
<fieldForValue>data</fieldForValue>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<title>User Accounts</title>
<table>
<search base="base_search">
<query>
| table user realname email type role splunk_server
</query>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="action">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="host">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="type">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="role">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="splunk_server">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<drilldown>
<unset token="user"></unset>
<set token="user">$click.value$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Role Capabilities</title>
<table>
<search base="base_search">
<query>
| dedup role
| mvexpand role
| join role
[
| rest /services/authorization/roles
| dedup title
| rename title as role
]
| table role capabilities imported_capabilities
| sort role
| transpose 1000 column_name=role header_field=role
</query>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="action">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="host">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="type">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="roles">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="splunk_server">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
</table>
</panel>
</row>
<row>
<panel>
<title>Role Index Access</title>
<table>
<search base="base_search">
<query>
| table role
| mvexpand role
| dedup role
| join role
[
| rest /services/authorization/roles
| dedup title
| rename title as role
]
| table role srchIndexesAllowed imported_roles imported_srchIndexesAllowed
| sort role
| transpose 1000 column_name=role header_field=role
</query>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="action">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="host">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="type">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="roles">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="splunk_server">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
</table>
</panel>
</row>
</form>
Holy Cow, great stuff -- thanks!
why, oh why, could Splunk not have had something like this...?
Great stuff!
Most excellent, ty
Search to indicate what roles can search the index:
| rest /services/authorization/roles splunk_server=local | table id, srchIndexesAllowed | mvexpand srchIndexesAllowed | search srchIndexesAllowed="IndexName"
Search to indicate what roles can search all indexes
| rest /services/authorization/roles splunk_server=local | table id, srchIndexesAllowed | mvexpand srchIndexesAllowed | where match(srchIndexesAllowed,"[*]")
This should get you list of users and their corresponding roles. Need admin privileges to get full result.
|rest /services/authentication/users splunk_server=local
|fields title roles realname|rename title as userName|rename realname as Name
This rest api call, as mentioned, must have the admin privilege otherwise you won't get the result. I granted a regular user ALL the capabilities it still won't work. Only a user with admin privilege can run it. To use it in a search for a dashboard for non-admin will not work. You need to create a savedsearch as admin and use the savedsearch in the dashboard.
@somesoni2,
I cant thank you enough for how many times I have taken your answers 🙂
|rest /services/authentication/users | search realname=* roles!=app* roles!=index* | dedup title type realname email tz roles
| table title type realname email tz roles | rename title as Username realname as "Full name" tz AS "Time zone" email AS "Email address" type AS "Authentication system"
Nice query somesoni2,
and nice enhancement landen99.
Thank you very much. That's very helpful.
It could be because of roles field is multivalue field. Try by adding "| nomv roles" at the end of the search.
This search does not seem to play nice with the export results option...the output csv comes out empty. Any idea why? How to work around it?
Thanks a bunch!
How would you change the splunk_server=local to get all user roles across the network?
splunk_server=*
I'm open to using whatever tool makes the most sense...a splunk search would be awesome, or if btool can do it that is fine too. I just want to create a list before and after to diff.