Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I generate a list of users and assigned roles?

juniormint
Communicator
‎03-19-2014 06:40 AM

I am doing some refactoring of authentication.conf and would like to be able to diff the users and their mapped roles before and after the refactoring. Is there a way to get a list of users and roles?

If it makes a difference I am using a LDAP strategy.

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-19-2014 07:25 AM

This should get you list of users and their corresponding roles. Need admin privileges to get full result.

|rest /services/authentication/users splunk_server=local 
|fields title roles realname|rename title as userName|rename realname as Name

View solution in original post

Reply
Solved! Jump to solution

bandit
Motivator
‎03-26-2019 09:33 AM

Dashboard of Splunk Users showing roles/capabilities, and index access.

alt text

Dashboard Code:

<form>
  <label>Splunk User List</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="user" searchWhenChanged="true">
      <label>User</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local 
| table defaultApp id realname email roles type splunk_server capabilities 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$"
| table user
| sort user</query>
      </search>
    </input>
    <input type="text" token="user_pattern" searchWhenChanged="true">
      <label>User Pattern</label>
      <default>*</default>
    </input>
    <input type="text" token="user_list" searchWhenChanged="true">
      <label>User List (comma seperated)</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="real_name" searchWhenChanged="true">
      <label>Real Name</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>realname</fieldForLabel>
      <fieldForValue>realname</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| dedup realname
| table realname
| sort realname</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="real_name_pattern" searchWhenChanged="true">
      <label>Real Name Pattern</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="email" searchWhenChanged="true">
      <label>Email</label>
      <choice value="*">All</choice>
      <fieldForLabel>email</fieldForLabel>
      <fieldForValue>email</fieldForValue>
      <default>*</default>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| dedup email
| table email
| sort email</query>
      </search>
    </input>
    <input type="text" token="email_pattern" searchWhenChanged="true">
      <label>Email Pattern</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="type" searchWhenChanged="true">
      <label>Type</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>type</fieldForLabel>
      <fieldForValue>type</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| dedup type
| table type
| sort type</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="role" searchWhenChanged="true">
      <label>Role</label>
      <choice value="*">All</choice>
      <fieldForLabel>roles</fieldForLabel>
      <fieldForValue>roles</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local 
| table roles
| mvexpand roles
| dedup roles
| table roles
| sort roles</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
    </input>
    <input type="text" token="role_pattern" searchWhenChanged="true">
      <label>Role Pattern</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>User Accounts</title>
      <table>
        <title>(click row for specific user detail)</title>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$" 
| table defaultApp id realname email roles type splunk_server capabilities 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="*$user_pattern$*" user IN ($user_list$) 
| sort -type user</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <drilldown>
          <unset token="user"></unset>
          <set token="user">$click.value$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Role Capabilities</title>
      <table>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$" 
| table defaultApp id realname email roles type splunk_server 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="***" user IN (*) 
| rename roles as role 
| table role 
| mvexpand role 
| dedup role 
| join role 
    [| rest /services/authorization/roles 
    | table title capabilities imported_roles imported_capabilities 
    | dedup title 
    | rename title as role 
    | table role capabilities imported_roles imported_capabilities ] 
| table role capabilities imported_roles imported_capabilities 
| sort role 
| transpose 1000 column_name=role header_field=role</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Role Index Access</title>
      <table>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$" 
| table defaultApp id realname email roles type splunk_server 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="***" user IN (*) 
| rename roles as role 
| table role 
| mvexpand role 
| dedup role 
| join role 
    [| rest /services/authorization/roles 
    | table title srchIndexesAllowed imported_roles imported_srchIndexesAllowed 
    | dedup title 
    | rename title as role 
    | table role srchIndexesAllowed imported_roles imported_srchIndexesAllowed ] 
| table role srchIndexesAllowed imported_roles imported_srchIndexesAllowed 
| sort role 
| transpose 1000 column_name=role header_field=role</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
</form>
Reply
Solved! Jump to solution

itsmevic
Communicator
‎01-13-2021 10:27 AM

Great stuff!

0 Karma
Reply
Solved! Jump to solution

earlhelms
Path Finder
‎07-06-2018 11:20 AM

Most excellent, ty

Search to indicate what roles can search the index:
| rest /services/authorization/roles splunk_server=local | table id, srchIndexesAllowed | mvexpand srchIndexesAllowed | search srchIndexesAllowed="IndexName"

Search to indicate what roles can search all indexes
| rest /services/authorization/roles splunk_server=local | table id, srchIndexesAllowed | mvexpand srchIndexesAllowed | where match(srchIndexesAllowed,"[*]")

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-19-2014 07:25 AM

This should get you list of users and their corresponding roles. Need admin privileges to get full result.

|rest /services/authentication/users splunk_server=local 
|fields title roles realname|rename title as userName|rename realname as Name
Reply
Solved! Jump to solution

anwarmian
Communicator
‎04-06-2020 03:01 PM

This rest api call, as mentioned, must have the admin privilege otherwise you won't get the result. I granted a regular user ALL the capabilities it still won't work. Only a user with admin privilege can run it. To use it in a search for a dashboard for non-admin will not work. You need to create a savedsearch as admin and use the savedsearch in the dashboard.

0 Karma
Reply
Solved! Jump to solution

varad_joshi
Communicator
‎10-03-2016 03:23 AM

@somesoni2,
I cant thank you enough for how many times I have taken your answers 🙂

0 Karma
Reply
Solved! Jump to solution

landen99
Motivator
‎03-27-2018 08:14 AM 
|rest /services/authentication/users | search realname=* roles!=app* roles!=index* | dedup title type realname email tz roles 
| table title type realname email tz roles | rename title as Username realname as "Full name" tz AS "Time zone" email AS "Email address" type AS "Authentication system"
Reply
Solved! Jump to solution

sansay
Contributor
‎09-06-2018 09:51 AM

Nice query somesoni2,
and nice enhancement landen99.
Thank you very much. That's very helpful.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-24-2014 08:55 AM

It could be because of roles field is multivalue field. Try by adding "| nomv roles" at the end of the search.

Reply
Solved! Jump to solution

juniormint
Communicator
‎03-19-2014 07:56 AM

This search does not seem to play nice with the export results option...the output csv comes out empty. Any idea why? How to work around it?

0 Karma
Reply
Solved! Jump to solution

juniormint
Communicator
‎03-19-2014 07:44 AM

Thanks a bunch!

0 Karma
Reply
Solved! Jump to solution

emilynicole73
Engager
‎07-19-2019 05:49 AM

How would you change the splunk_server=local to get all user roles across the network?

0 Karma
Reply
Solved! Jump to solution

Dallastek1
Explorer
‎01-27-2023 09:40 AM

 splunk_server=*

0 Karma
Reply
Solved! Jump to solution

juniormint
Communicator
‎03-19-2014 06:41 AM

I'm open to using whatever tool makes the most sense...a splunk search would be awesome, or if btool can do it that is fine too. I just want to create a list before and after to diff.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...