Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I produce a list of users and their roles?

danielbb
Motivator
‎12-11-2019 12:40 PM

How can I produce a list of users and their roles? Maybe a rest call to produce such a list...

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-18-2019 01:03 PM

We had to give full admin access in the past because they weren't able to discern what permissions were needed for some tools (ES, UBA, etc).
Then we needed to audit and figure out who is able to do what and slowly remove those who don't need it.
Several roles import the admin role and they have several different SH clusters.
Here is what we ended up with to build an action list.

| rest/services/authentication/users
| dedup id
| rename title AS username roles AS role_direct
| mvexpand role_direct
| eval user=username . " = " . realname
| fields user role_direct
| appendpipe [
| rest/services/authorization/roles
| dedup id
| rename title AS role_direct
| eval role_add = role_direct
| eval combined_roles=mvappend(role_add,imported_roles)
| mvexpand combined_roles 
| fields role_direct, combined_roles]
| stats list(*) AS * BY role_direct
| mvexpand combined_roles
| rename combined_roles AS combined_role
| eval formatted_role=if(combined_role = role_direct,combined_role." (direct assignment)",combined_role." (inherited through ".role_direct.")")
| appendpipe [
| rest /services/authorization/roles 
| dedup id
| rename title AS combined_role
| fields combined_role capabilities]
| stats list(*) AS * BY combined_role
| mvexpand formatted_role
| mvexpand capabilities
| mvexpand user
| rename capabilities AS capability
| rename formatted_role AS "role (inheritance)"
| table user "role (inheritance)" capability
| search capability="edit_user"
Reply
Solved! Jump to solution

aberkow
Builder
‎12-11-2019 01:18 PM 
| rest /services/authentication/users
| stats values(roles) by title

This get you what you're looking for? (or close, you might have a different value for title, just try running the first part to see if the GET call returns what you're looking for at a high level).

Hope this helps!

Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎12-11-2019 01:16 PM

Hi @danielbb,

This question is similar to the one here :
https://answers.splunk.com/answers/127844/how-can-i-generate-a-list-of-users-and-assigned-roles.html

As @somesoni2 mentioned :

 |rest /services/authentication/users splunk_server=local 
 |fields title roles realname|rename title as userName, realname as Name

You will need admin privileges to get full result.

Cheers,
David

Reply
Solved! Jump to solution

danielbb
Motivator
‎12-18-2019 06:20 AM

We ran this query on three environments and it produced the results. Is there a way to combine these three result sets? bearing in mind that the same users with different roles can exist in different environments.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-18-2019 01:04 PM

See my answer in this post.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...