Security

How can I generate a list of users and assigned roles?

Communicator

I am doing some refactoring of authentication.conf and would like to be able to diff the users and their mapped roles before and after the refactoring. Is there a way to get a list of users and roles?

If it makes a difference I am using a LDAP strategy.

Labels (1)
Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

This should get you list of users and their corresponding roles. Need admin privileges to get full result.

|rest /services/authentication/users splunk_server=local 
|fields title roles realname|rename title as userName|rename realname as Name

View solution in original post

Motivator

Dashboard of Splunk Users showing roles/capabilities, and index access.

alt text

Dashboard Code:

<form>
  <label>Splunk User List</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="user" searchWhenChanged="true">
      <label>User</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local 
| table defaultApp id realname email roles type splunk_server capabilities 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$"
| table user
| sort user</query>
      </search>
    </input>
    <input type="text" token="user_pattern" searchWhenChanged="true">
      <label>User Pattern</label>
      <default>*</default>
    </input>
    <input type="text" token="user_list" searchWhenChanged="true">
      <label>User List (comma seperated)</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="real_name" searchWhenChanged="true">
      <label>Real Name</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>realname</fieldForLabel>
      <fieldForValue>realname</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| dedup realname
| table realname
| sort realname</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="real_name_pattern" searchWhenChanged="true">
      <label>Real Name Pattern</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="email" searchWhenChanged="true">
      <label>Email</label>
      <choice value="*">All</choice>
      <fieldForLabel>email</fieldForLabel>
      <fieldForValue>email</fieldForValue>
      <default>*</default>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| dedup email
| table email
| sort email</query>
      </search>
    </input>
    <input type="text" token="email_pattern" searchWhenChanged="true">
      <label>Email Pattern</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="type" searchWhenChanged="true">
      <label>Type</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>type</fieldForLabel>
      <fieldForValue>type</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| dedup type
| table type
| sort type</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="role" searchWhenChanged="true">
      <label>Role</label>
      <choice value="*">All</choice>
      <fieldForLabel>roles</fieldForLabel>
      <fieldForValue>roles</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local 
| table roles
| mvexpand roles
| dedup roles
| table roles
| sort roles</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
    </input>
    <input type="text" token="role_pattern" searchWhenChanged="true">
      <label>Role Pattern</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>User Accounts</title>
      <table>
        <title>(click row for specific user detail)</title>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$" 
| table defaultApp id realname email roles type splunk_server capabilities 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="*$user_pattern$*" user IN ($user_list$) 
| sort -type user</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <drilldown>
          <unset token="user"></unset>
          <set token="user">$click.value$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Role Capabilities</title>
      <table>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$" 
| table defaultApp id realname email roles type splunk_server 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="***" user IN (*) 
| rename roles as role 
| table role 
| mvexpand role 
| dedup role 
| join role 
    [| rest /services/authorization/roles 
    | table title capabilities imported_roles imported_capabilities 
    | dedup title 
    | rename title as role 
    | table role capabilities imported_roles imported_capabilities ] 
| table role capabilities imported_roles imported_capabilities 
| sort role 
| transpose 1000 column_name=role header_field=role</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Role Index Access</title>
      <table>
        <search>
          <query>| rest /services/authentication/users splunk_server=local 
| search realname="$real_name$" realname="*$real_name_pattern$*" email="$email$" email="*$email_pattern$*" roles="$role$" roles="*$role_pattern$*" type="$type$" 
| table defaultApp id realname email roles type splunk_server 
| replace "*%40*" with "*@*" in id 
| rex field=id "/users/(?&lt;user&gt;.+)$" 
| table user realname email type roles splunk_server 
| search user="$user$" user="***" user IN (*) 
| rename roles as role 
| table role 
| mvexpand role 
| dedup role 
| join role 
    [| rest /services/authorization/roles 
    | table title srchIndexesAllowed imported_roles imported_srchIndexesAllowed 
    | dedup title 
    | rename title as role 
    | table role srchIndexesAllowed imported_roles imported_srchIndexesAllowed ] 
| table role srchIndexesAllowed imported_roles imported_srchIndexesAllowed 
| sort role 
| transpose 1000 column_name=role header_field=role</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="action">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="type">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="roles">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="splunk_server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
</form>

Path Finder

Most excellent, ty

Search to indicate what roles can search the index:
| rest /services/authorization/roles splunk_server=local | table id, srchIndexesAllowed | mvexpand srchIndexesAllowed | search srchIndexesAllowed="IndexName"

Search to indicate what roles can search all indexes
| rest /services/authorization/roles splunk_server=local | table id, srchIndexesAllowed | mvexpand srchIndexesAllowed | where match(srchIndexesAllowed,"[*]")

SplunkTrust
SplunkTrust

This should get you list of users and their corresponding roles. Need admin privileges to get full result.

|rest /services/authentication/users splunk_server=local 
|fields title roles realname|rename title as userName|rename realname as Name

View solution in original post

Path Finder

This rest api call, as mentioned, must have the admin privilege otherwise you won't get the result. I granted a regular user ALL the capabilities it still won't work. Only a user with admin privilege can run it. To use it in a search for a dashboard for non-admin will not work. You need to create a savedsearch as admin and use the savedsearch in the dashboard.

0 Karma

Communicator

@somesoni2,
I cant thank you enough for how many times I have taken your answers 🙂

0 Karma

Motivator
|rest /services/authentication/users | search realname=* roles!=app* roles!=index* | dedup title type realname email tz roles 
| table title type realname email tz roles | rename title as Username realname as "Full name" tz AS "Time zone" email AS "Email address" type AS "Authentication system"

Contributor

Nice query somesoni2,
and nice enhancement landen99.
Thank you very much. That's very helpful.

0 Karma

SplunkTrust
SplunkTrust

It could be because of roles field is multivalue field. Try by adding "| nomv roles" at the end of the search.

Communicator

This search does not seem to play nice with the export results option...the output csv comes out empty. Any idea why? How to work around it?

0 Karma

Communicator

Thanks a bunch!

0 Karma

How would you change the splunk_server=local to get all user roles across the network?

0 Karma

Communicator

I'm open to using whatever tool makes the most sense...a splunk search would be awesome, or if btool can do it that is fine too. I just want to create a list before and after to diff.

0 Karma