Security

How to Display whether a user has access to an index

SevenDos
Explorer

Hi!

We are using a dashboard that displays all the indexes and information about those indexes. I would like to have an additional column. The current search uses this:

 

 

| inputlookup name_of_the_lookup
| search index=* (index=***)
| sort by index
| table index, field_A, field_B, field_C, field_D, field_E, field_F, field_G, field_H, field_I, field_J, field_K

 

 

What I want to have is an additional column named 'Access',  that says whether it's true or false if the user currently watching that Dashboard has access to that Index. Is there a search that would do this?

Labels (1)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @SevenDos,

using this search you can see all information about an index:

| rest /services/data/indexes count=0 
| table title eai:acl.perms.read eai:acl.perms.write

than you have to correlate these information with the present user

| rest /services/authentication/current-context 
| table username roles

At the end, you should have something like this:

| rest /services/data/indexes count=0 | table title eai:acl.perms.read eai:acl.perms.write
| rename eai:acl.perms.write AS roles
| mvexpand roles
| join roles [ | rest /services/authentication/current-context 
| mvexpand roles
| table username roles ]

I didn't displayed all the fields, you can add the fields you need.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @SevenDos,

using this search you can see all information about an index:

| rest /services/data/indexes count=0 
| table title eai:acl.perms.read eai:acl.perms.write

than you have to correlate these information with the present user

| rest /services/authentication/current-context 
| table username roles

At the end, you should have something like this:

| rest /services/data/indexes count=0 | table title eai:acl.perms.read eai:acl.perms.write
| rename eai:acl.perms.write AS roles
| mvexpand roles
| join roles [ | rest /services/authentication/current-context 
| mvexpand roles
| table username roles ]

I didn't displayed all the fields, you can add the fields you need.

Ciao.

Giuseppe

SevenDos
Explorer

Ah great, so I could do:

| rest /services/data/indexes count=0 | table title eai:acl.perms.write
| rename eai:acl.perms.write AS Access title as index
| mvexpand Access
| join roles [ | rest /services/authentication/current-context 
| mvexpand roles
| table Access ]
| eval Access=if(like(Access, "admin"), "true", "false")
| dedup index

 ?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...