Security
Highlighted

How can we find out who has access to a certain index?

Motivator

We would like to find out who has access to a certain index. How can we do that?

Labels (1)
Tags (1)
0 Karma
Highlighted

Re: How can we find out who has access to a certain index?

SplunkTrust
SplunkTrust

To find roles that access index 'foo', look for srchIndexesAllowed = foo or srchIndexesAllowed = * in your authorize.conf files. Btool can help.

splunk btool --debug authorize list | grep 'srchIndexesAllowed\s*=.*(\*|foo)'
---
If this reply helps you, an upvote would be appreciated.

View solution in original post