I've been using Splunk for so long, but how do you see what a users effective permissions are? By effective permissions, I mean a user can be a member of multiple roles with the different srchDiskQuota, srchJobsQuota, srchMaxTime, etc. How to I see which are being applied?
// useless
splunk cmd btool --debug --user=admin --app=search authorize layer
Normally I don't have to worry as I typically keep it simple.
Okay peps. I've figured out how do this for capabilities but not items such as quotas, filters, etc. Though this meet an auditors requirement which also show last login date.
earliest=-365d index=_audit action="login attempt" info=succeeded
| stats first(_time) as etime by user
| eval DateTime=strftime(etime, "%m/%d/%Y %H:%M:%S %Z")
| join user [ rest splunk_server=local /servicesNS/-/-/authentication/users | stats values(capabilities) as capabilities values(roles) as roles by realname title email | rename title as user ]
| append [ rest splunk_server=local /servicesNS/-/-/authentication/users | stats values(capabilities) as capabilities values(roles) as roles by realname title email | rename title as user]
| dedup user realname
Okay peps. I've figured out how do this for capabilities but not items such as quotas, filters, etc. Though this meet an auditors requirement which also show last login date.
earliest=-365d index=_audit action="login attempt" info=succeeded
| stats first(_time) as etime by user
| eval DateTime=strftime(etime, "%m/%d/%Y %H:%M:%S %Z")
| join user [ rest splunk_server=local /servicesNS/-/-/authentication/users | stats values(capabilities) as capabilities values(roles) as roles by realname title email | rename title as user ]
| append [ rest splunk_server=local /servicesNS/-/-/authentication/users | stats values(capabilities) as capabilities values(roles) as roles by realname title email | rename title as user]
| dedup user realname
For quite some time, I too have been looking for the ability to look at any user, regardless of how many roles have been inherited, and say "This is exactly how this user should expect their experience to be". (Administering an adopted environment can be tough)
The closest I have come, without making assumptions about how Splunk handles inheritance, is to create a new role, with no properties set, and configuring it to inherit the same roles that the specific user has. Then you can run the following search (replacing [search_head] and [role] appropriately):
| rest splunk_server=[search_head] /services/authorization/roles/[role] | fields imported_*
The only thing this doesn't address is how the user would expect the "Role-level concurrent..." settings to affect them if those settings overlap across multiple roles.
Try this:
$ splunk btool authorize list role_user
[role_user]
accelerate_search = enabled
change_own_password = enabled
cumulativeRTSrchJobsQuota = 100
cumulativeSrchJobsQuota = 50
get_metadata = enabled
get_typeahead = enabled
input_file = enabled
list_inputs = enabled
output_file = enabled
pattern_detect = enabled
request_remote_tok = enabled
rest_apps_view = enabled
rest_properties_get = enabled
rest_properties_set = enabled
rtSrchJobsQuota = 6
search = enabled
srchDiskQuota = 100
srchFilterSelecting = true
srchIndexesAllowed = *
srchIndexesDefault = main
srchJobsQuota = 3
srchMaxTime = 100days
You can append --debug
to see what conf files each line comes from. Note this is by role, not user. But as long as you know what role(s) the user has, you can use this.
Another option is to use the REST endpoints to enumerate a role and it's consolidated capabilities. (In case it inherits from another role) This can be accessed via the search UI.
| rest /services/authorization/roles
That does not answer the question of users who are apart of multiple roles. Yes if they are a part of one role I could just use btool with debug after using the rest command. I want to know know the final layering of permission of users who are apart of two or more roles, NOT inherited roles.