Security

woodcock
Esteemed Legend

We had to give full admin access in the past because they weren't able to discern what permissions were needed for some tools (ES, UBA, etc).
Then we needed to audit and figure out who is able to do what and slowly remove those who don't need it.
Several roles import the admin role and they have several different SH clusters.
Here is what we ended up with to build an action list.

| rest/services/authentication/users
| dedup id
| rename title AS username roles AS role_direct
| mvexpand role_direct
| eval user=username . " = " . realname
| fields user role_direct
| appendpipe [
| rest/services/authorization/roles
| dedup id
| rename title AS role_direct
| eval role_add = role_direct
| eval combined_roles=mvappend(role_add,imported_roles)
| mvexpand combined_roles 
| fields role_direct, combined_roles]
| stats list(*) AS * BY role_direct
| mvexpand combined_roles
| rename combined_roles AS combined_role
| eval formatted_role=if(combined_role = role_direct,combined_role." (direct assignment)",combined_role." (inherited through ".role_direct.")")
| appendpipe [
| rest /services/authorization/roles 
| dedup id
| rename title AS combined_role
| fields combined_role capabilities]
| stats list(*) AS * BY combined_role
| mvexpand formatted_role
| mvexpand capabilities
| mvexpand user
| rename capabilities AS capability
| rename formatted_role AS "role (inheritance)"
| table user "role (inheritance)" capability
| search capability="edit_user"

aberkow
Builder
| rest /services/authentication/users
| stats values(roles) by title

This get you what you're looking for? (or close, you might have a different value for title, just try running the first part to see if the GET call returns what you're looking for at a high level).

Hope this helps!

DavidHourani
Super Champion

Hi @danielbb,

This question is similar to the one here :
https://answers.splunk.com/answers/127844/how-can-i-generate-a-list-of-users-and-assigned-roles.html

As @somesoni2 mentioned :

 |rest /services/authentication/users splunk_server=local 
 |fields title roles realname|rename title as userName, realname as Name

You will need admin privileges to get full result.

Cheers,
David

danielbb
Motivator

We ran this query on three environments and it produced the results. Is there a way to combine these three result sets? bearing in mind that the same users with different roles can exist in different environments.

0 Karma

woodcock
Esteemed Legend

See my answer in this post.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...