How can I produce a list of users and their roles?


How can I produce a list of users and their roles? Maybe a rest call to produce such a list...

Tags (2)
0 Karma
1 Solution

Esteemed Legend

We had to give full admin access in the past because they weren't able to discern what permissions were needed for some tools (ES, UBA, etc).
Then we needed to audit and figure out who is able to do what and slowly remove those who don't need it.
Several roles import the admin role and they have several different SH clusters.
Here is what we ended up with to build an action list.

| rest/services/authentication/users
| dedup id
| rename title AS username roles AS role_direct
| mvexpand role_direct
| eval user=username . " = " . realname
| fields user role_direct
| appendpipe [
| rest/services/authorization/roles
| dedup id
| rename title AS role_direct
| eval role_add = role_direct
| eval combined_roles=mvappend(role_add,imported_roles)
| mvexpand combined_roles 
| fields role_direct, combined_roles]
| stats list(*) AS * BY role_direct
| mvexpand combined_roles
| rename combined_roles AS combined_role
| eval formatted_role=if(combined_role = role_direct,combined_role." (direct assignment)",combined_role." (inherited through ".role_direct.")")
| appendpipe [
| rest /services/authorization/roles 
| dedup id
| rename title AS combined_role
| fields combined_role capabilities]
| stats list(*) AS * BY combined_role
| mvexpand formatted_role
| mvexpand capabilities
| mvexpand user
| rename capabilities AS capability
| rename formatted_role AS "role (inheritance)"
| table user "role (inheritance)" capability
| search capability="edit_user"

| rest /services/authentication/users
| stats values(roles) by title

This get you what you're looking for? (or close, you might have a different value for title, just try running the first part to see if the GET call returns what you're looking for at a high level).

Hope this helps!


Hi @danielbb,

This question is similar to the one here :

As @somesoni2 mentioned :

 |rest /services/authentication/users splunk_server=local 
 |fields title roles realname|rename title as userName, realname as Name

You will need admin privileges to get full result.



We ran this query on three environments and it produced the results. Is there a way to combine these three result sets? bearing in mind that the same users with different roles can exist in different environments.

0 Karma

Esteemed Legend

See my answer in this post.

0 Karma