Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I generate a list of users and assigned roles?

juniormint
Communicator
‎03-19-2014 06:40 AM

I am doing some refactoring of authentication.conf and would like to be able to diff the users and their mapped roles before and after the refactoring. Is there a way to get a list of users and roles?

If it makes a difference I am using a LDAP strategy.

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-19-2014 07:25 AM

This should get you list of users and their corresponding roles. Need admin privileges to get full result.

|rest /services/authentication/users splunk_server=local 
|fields title roles realname|rename title as userName|rename realname as Name

View solution in original post

Reply
Solved! Jump to solution

bandit
Motivator
‎03-26-2019 09:33 AM

Dashboard of Splunk Users showing roles/capabilities, and index access.

alt text

Dashboard Code:

<form>
  <label>Splunk User List</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="user" searchWhenChanged="true">
      <label>User</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local 
| table defaultApp id realname email roles type splunk_server capabilities 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$"
| table user
| sort user</query>
      </search>
    </input>
    <input type="text" token="user_pattern" searchWhenChanged="true">
      <label>User Pattern</label>
      <default>*</default>
    </input>
    <input type="text" token="user_list" searchWhenChanged="true">
      <label>User List (comma seperated)</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="real_name" searchWhenChanged="true">
      <label>Real Name</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>realname</fieldForLabel>
      <fieldForValue>realname</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| dedup realname
| table realname
| sort realname</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="real_name_pattern" searchWhenChanged="true">
      <label>Real Name Pattern</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="email" searchWhenChanged="true">
      <label>Email</label>
      <choice value="*">All</choice>
      <fieldForLabel>email</fieldForLabel>
      <fieldForValue>email</fieldForValue>
      <default>*</default>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| dedup email
| table email
| sort email</query>
      </search>
    </input>
    <input type="text" token="email_pattern" searchWhenChanged="true">
      <label>Email Pattern</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="type" searchWhenChanged="true">
      <label>Type</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>type</fieldForLabel>
      <fieldForValue>type</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| dedup type
| table type
| sort type</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="role" searchWhenChanged="true">
      <label>Role</label>
      <choice value="*">All</choice>
      <fieldForLabel>roles</fieldForLabel>
      <fieldForValue>roles</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local 
| table roles
| mvexpand roles
| dedup roles
| table roles
| sort roles</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
    </input>
    <input type="text" token="role_pattern" searchWhenChanged="true">
      <label>Role Pattern</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>User Accounts</title>
      <table>
        <title>(click row for specific user detail)</title>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$" 
| table defaultApp id realname email roles type splunk_server capabilities 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="*$user_pattern$*" user IN ($user_list$) 
| sort -type user</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <drilldown>
          <unset token="user"></unset>
          <set token="user">$click.value$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Role Capabilities</title>
      <table>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$" 
| table defaultApp id realname email roles type splunk_server 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="***" user IN (*) 
| rename roles as role 
| table role 
| mvexpand role 
| dedup role 
| join role 
    [| rest /services/authorization/roles 
    | table title capabilities imported_roles imported_capabilities 
    | dedup title 
    | rename title as role 
    | table role capabilities imported_roles imported_capabilities ] 
| table role capabilities imported_roles imported_capabilities 
| sort role 
| transpose 1000 column_name=role header_field=role</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Role Index Access</title>
      <table>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$" 
| table defaultApp id realname email roles type splunk_server 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="***" user IN (*) 
| rename roles as role 
| table role 
| mvexpand role 
| dedup role 
| join role 
    [| rest /services/authorization/roles 
    | table title srchIndexesAllowed imported_roles imported_srchIndexesAllowed 
    | dedup title 
    | rename title as role 
    | table role srchIndexesAllowed imported_roles imported_srchIndexesAllowed ] 
| table role srchIndexesAllowed imported_roles imported_srchIndexesAllowed 
| sort role 
| transpose 1000 column_name=role header_field=role</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
</form>
Reply
Solved! Jump to solution

jotne
Builder
‎07-24-2023 01:56 AM

Here is an updated version. Less use of not need table command, use of base search.  Dropdown with counters++

 

<form version="1.1" theme="dark">
  <label>List of Users Capabilities</label>
  <!--
  1.1  based on https://community.splunk.com/t5/Security/How-can-I-generate-a-list-of-users-and-assigned-roles/m-p/194811
  -->
  <search id="base_search">
    <query>
      | rest /services/authentication/users splunk_server=local
      | replace "*%40*" with "*@*" in id
      | rex field=id "/users/(?&lt;user&gt;.+)$"
      | rename roles as role 
      | fields user defaultApp id realname email role type splunk_server capabilities
      | search 
        user="$user$"
        type="$type$"
        role="$role$"
    </query>
  </search>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="user">
      <label>User</label>
      <search base="base_search">
        <query>
          | eval data=user
          | stats count by data realname
          | eval info=data." (".realname.")"
          | sort data
        </query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>data</fieldForValue>
      <default>*</default>
    </input>
    <input type="dropdown" token="type">
      <label>Type</label>
      <search base="base_search">
        <query>
          | eval data=type
          | stats count by data
          | eval info=data." (".count.")"
          | sort -count
        </query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>data</fieldForValue>
      <default>*</default>
    </input>
    <input type="dropdown" token="role">
      <label>Role</label>
      <search base="base_search">
        <query>
          | eval data=role
          | stats count by data
          | eval info=data." (".count.")"
          | sort -count
        </query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>data</fieldForValue>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>User Accounts</title>
      <table>
        <search base="base_search">
          <query>
            | table user realname email type role splunk_server
          </query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="role">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <drilldown>
          <unset token="user"></unset>
          <set token="user">$click.value$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Role Capabilities</title>
      <table>
        <search base="base_search">
          <query>
            | dedup role
            | mvexpand role 
            | join role
              [
              | rest /services/authorization/roles
              | dedup title
              | rename title as role
              ]
            | table role capabilities imported_capabilities
            | sort role
            | transpose 1000 column_name=role header_field=role
          </query>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Role Index Access</title>
      <table>
        <search base="base_search">
          <query>
            | table role
            | mvexpand role
            | dedup role
            | join role
              [
              | rest /services/authorization/roles
              | dedup title
              | rename title as role
              ]
            | table role srchIndexesAllowed imported_roles imported_srchIndexesAllowed
            | sort role
            | transpose 1000 column_name=role header_field=role
          </query>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
</form>

 

0 Karma
Reply
Solved! Jump to solution

mykol_j
Communicator
‎10-10-2023 01:04 PM

Holy Cow, great stuff -- thanks!

why, oh why, could Splunk not have had something like this...?

0 Karma
Reply
Solved! Jump to solution

itsmevic
Communicator
‎01-13-2021 10:27 AM

Great stuff!

0 Karma
Reply
Solved! Jump to solution

earlhelms
Path Finder
‎07-06-2018 11:20 AM

Most excellent, ty

Search to indicate what roles can search the index:
| rest /services/authorization/roles splunk_server=local | table id, srchIndexesAllowed | mvexpand srchIndexesAllowed | search srchIndexesAllowed="IndexName"

Search to indicate what roles can search all indexes
| rest /services/authorization/roles splunk_server=local | table id, srchIndexesAllowed | mvexpand srchIndexesAllowed | where match(srchIndexesAllowed,"[*]")

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-19-2014 07:25 AM

This should get you list of users and their corresponding roles. Need admin privileges to get full result.

|rest /services/authentication/users splunk_server=local 
|fields title roles realname|rename title as userName|rename realname as Name
Reply
Solved! Jump to solution

anwarmian
Communicator
‎04-06-2020 03:01 PM

This rest api call, as mentioned, must have the admin privilege otherwise you won't get the result. I granted a regular user ALL the capabilities it still won't work. Only a user with admin privilege can run it. To use it in a search for a dashboard for non-admin will not work. You need to create a savedsearch as admin and use the savedsearch in the dashboard.

0 Karma
Reply
Solved! Jump to solution

varad_joshi
Communicator
‎10-03-2016 03:23 AM

@somesoni2,
I cant thank you enough for how many times I have taken your answers 🙂

0 Karma
Reply
Solved! Jump to solution

landen99
Motivator
‎03-27-2018 08:14 AM 
|rest /services/authentication/users | search realname=* roles!=app* roles!=index* | dedup title type realname email tz roles 
| table title type realname email tz roles | rename title as Username realname as "Full name" tz AS "Time zone" email AS "Email address" type AS "Authentication system"
Reply
Solved! Jump to solution

sansay
Contributor
‎09-06-2018 09:51 AM

Nice query somesoni2,
and nice enhancement landen99.
Thank you very much. That's very helpful.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-24-2014 08:55 AM

It could be because of roles field is multivalue field. Try by adding "| nomv roles" at the end of the search.

Reply
Solved! Jump to solution

juniormint
Communicator
‎03-19-2014 07:56 AM

This search does not seem to play nice with the export results option...the output csv comes out empty. Any idea why? How to work around it?

0 Karma
Reply
Solved! Jump to solution

juniormint
Communicator
‎03-19-2014 07:44 AM

Thanks a bunch!

0 Karma
Reply
Solved! Jump to solution

emilynicole73
Engager
‎07-19-2019 05:49 AM

How would you change the splunk_server=local to get all user roles across the network?

0 Karma
Reply
Solved! Jump to solution

Dallastek1
Path Finder
‎01-27-2023 09:40 AM

 splunk_server=*

0 Karma
Reply
Solved! Jump to solution

juniormint
Communicator
‎03-19-2014 06:41 AM

I'm open to using whatever tool makes the most sense...a splunk search would be awesome, or if btool can do it that is fine too. I just want to create a list before and after to diff.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...