Security

How can I generate a list of users and assigned roles?

juniormint
Communicator

I am doing some refactoring of authentication.conf and would like to be able to diff the users and their mapped roles before and after the refactoring. Is there a way to get a list of users and roles?

If it makes a difference I am using a LDAP strategy.

Labels (1)
Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

This should get you list of users and their corresponding roles. Need admin privileges to get full result.

|rest /services/authentication/users splunk_server=local 
|fields title roles realname|rename title as userName|rename realname as Name

View solution in original post

bandit
Motivator

Dashboard of Splunk Users showing roles/capabilities, and index access.

alt text

Dashboard Code:

<form>
  <label>Splunk User List</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="user" searchWhenChanged="true">
      <label>User</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local 
| table defaultApp id realname email roles type splunk_server capabilities 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$"
| table user
| sort user</query>
      </search>
    </input>
    <input type="text" token="user_pattern" searchWhenChanged="true">
      <label>User Pattern</label>
      <default>*</default>
    </input>
    <input type="text" token="user_list" searchWhenChanged="true">
      <label>User List (comma seperated)</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="real_name" searchWhenChanged="true">
      <label>Real Name</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>realname</fieldForLabel>
      <fieldForValue>realname</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| dedup realname
| table realname
| sort realname</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="real_name_pattern" searchWhenChanged="true">
      <label>Real Name Pattern</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="email" searchWhenChanged="true">
      <label>Email</label>
      <choice value="*">All</choice>
      <fieldForLabel>email</fieldForLabel>
      <fieldForValue>email</fieldForValue>
      <default>*</default>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| dedup email
| table email
| sort email</query>
      </search>
    </input>
    <input type="text" token="email_pattern" searchWhenChanged="true">
      <label>Email Pattern</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="type" searchWhenChanged="true">
      <label>Type</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>type</fieldForLabel>
      <fieldForValue>type</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| dedup type
| table type
| sort type</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="role" searchWhenChanged="true">
      <label>Role</label>
      <choice value="*">All</choice>
      <fieldForLabel>roles</fieldForLabel>
      <fieldForValue>roles</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local 
| table roles
| mvexpand roles
| dedup roles
| table roles
| sort roles</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
    </input>
    <input type="text" token="role_pattern" searchWhenChanged="true">
      <label>Role Pattern</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>User Accounts</title>
      <table>
        <title>(click row for specific user detail)</title>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$" 
| table defaultApp id realname email roles type splunk_server capabilities 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="*$user_pattern$*" user IN ($user_list$) 
| sort -type user</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <drilldown>
          <unset token="user"></unset>
          <set token="user">$click.value$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Role Capabilities</title>
      <table>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$" 
| table defaultApp id realname email roles type splunk_server 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="***" user IN (*) 
| rename roles as role 
| table role 
| mvexpand role 
| dedup role 
| join role 
    [| rest /services/authorization/roles 
    | table title capabilities imported_roles imported_capabilities 
    | dedup title 
    | rename title as role 
    | table role capabilities imported_roles imported_capabilities ] 
| table role capabilities imported_roles imported_capabilities 
| sort role 
| transpose 1000 column_name=role header_field=role</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Role Index Access</title>
      <table>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$" 
| table defaultApp id realname email roles type splunk_server 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="***" user IN (*) 
| rename roles as role 
| table role 
| mvexpand role 
| dedup role 
| join role 
    [| rest /services/authorization/roles 
    | table title srchIndexesAllowed imported_roles imported_srchIndexesAllowed 
    | dedup title 
    | rename title as role 
    | table role srchIndexesAllowed imported_roles imported_srchIndexesAllowed ] 
| table role srchIndexesAllowed imported_roles imported_srchIndexesAllowed 
| sort role 
| transpose 1000 column_name=role header_field=role</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
</form>

itsmevic
Communicator

Great stuff!

0 Karma

earlhelms
Path Finder

Most excellent, ty

Search to indicate what roles can search the index:
| rest /services/authorization/roles splunk_server=local | table id, srchIndexesAllowed | mvexpand srchIndexesAllowed | search srchIndexesAllowed="IndexName"

Search to indicate what roles can search all indexes
| rest /services/authorization/roles splunk_server=local | table id, srchIndexesAllowed | mvexpand srchIndexesAllowed | where match(srchIndexesAllowed,"[*]")

somesoni2
Revered Legend

This should get you list of users and their corresponding roles. Need admin privileges to get full result.

|rest /services/authentication/users splunk_server=local 
|fields title roles realname|rename title as userName|rename realname as Name

anwarmian
Communicator

This rest api call, as mentioned, must have the admin privilege otherwise you won't get the result. I granted a regular user ALL the capabilities it still won't work. Only a user with admin privilege can run it. To use it in a search for a dashboard for non-admin will not work. You need to create a savedsearch as admin and use the savedsearch in the dashboard.

0 Karma

varad_joshi
Communicator

@somesoni2,
I cant thank you enough for how many times I have taken your answers 🙂

0 Karma

landen99
Motivator
|rest /services/authentication/users | search realname=* roles!=app* roles!=index* | dedup title type realname email tz roles 
| table title type realname email tz roles | rename title as Username realname as "Full name" tz AS "Time zone" email AS "Email address" type AS "Authentication system"

sansay
Contributor

Nice query somesoni2,
and nice enhancement landen99.
Thank you very much. That's very helpful.

0 Karma

somesoni2
Revered Legend

It could be because of roles field is multivalue field. Try by adding "| nomv roles" at the end of the search.

juniormint
Communicator

This search does not seem to play nice with the export results option...the output csv comes out empty. Any idea why? How to work around it?

0 Karma

juniormint
Communicator

Thanks a bunch!

0 Karma

emilynicole73
Engager

How would you change the splunk_server=local to get all user roles across the network?

0 Karma

Dallastek1
Explorer

 splunk_server=*

0 Karma

juniormint
Communicator

I'm open to using whatever tool makes the most sense...a splunk search would be awesome, or if btool can do it that is fine too. I just want to create a list before and after to diff.

0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...