Security

How to view a user's effective permissions to see which are being applied?

bmacias84
Champion

I've been using Splunk for so long, but how do you see what a users effective permissions are? By effective permissions, I mean a user can be a member of multiple roles with the different srchDiskQuota, srchJobsQuota, srchMaxTime, etc. How to I see which are being applied?

// useless
splunk cmd btool --debug  --user=admin --app=search authorize layer

Normally I don't have to worry as I typically keep it simple.

Tags (3)
1 Solution

bmacias84
Champion

Okay peps. I've figured out how do this for capabilities but not items such as quotas, filters, etc. Though this meet an auditors requirement which also show last login date.

earliest=-365d index=_audit action="login attempt" info=succeeded 
| stats first(_time) as etime by user  
| eval DateTime=strftime(etime, "%m/%d/%Y %H:%M:%S %Z") 
| join user [ rest splunk_server=local /servicesNS/-/-/authentication/users | stats values(capabilities) as capabilities values(roles) as roles by  realname title email  | rename title as user ] 
|  append [ rest splunk_server=local /servicesNS/-/-/authentication/users | stats values(capabilities) as capabilities values(roles) as roles by  realname title email  | rename title as user] 
| dedup user realname

View solution in original post

bmacias84
Champion

Okay peps. I've figured out how do this for capabilities but not items such as quotas, filters, etc. Though this meet an auditors requirement which also show last login date.

earliest=-365d index=_audit action="login attempt" info=succeeded 
| stats first(_time) as etime by user  
| eval DateTime=strftime(etime, "%m/%d/%Y %H:%M:%S %Z") 
| join user [ rest splunk_server=local /servicesNS/-/-/authentication/users | stats values(capabilities) as capabilities values(roles) as roles by  realname title email  | rename title as user ] 
|  append [ rest splunk_server=local /servicesNS/-/-/authentication/users | stats values(capabilities) as capabilities values(roles) as roles by  realname title email  | rename title as user] 
| dedup user realname

rlawrence_fnni
Explorer

For quite some time, I too have been looking for the ability to look at any user, regardless of how many roles have been inherited, and say "This is exactly how this user should expect their experience to be". (Administering an adopted environment can be tough)

The closest I have come, without making assumptions about how Splunk handles inheritance, is to create a new role, with no properties set, and configuring it to inherit the same roles that the specific user has. Then you can run the following search (replacing [search_head] and [role] appropriately):
| rest splunk_server=[search_head] /services/authorization/roles/[role] | fields imported_*

The only thing this doesn't address is how the user would expect the "Role-level concurrent..." settings to affect them if those settings overlap across multiple roles.

emiller42
Motivator

Try this:

$ splunk btool authorize list role_user
[role_user]
accelerate_search = enabled
change_own_password = enabled
cumulativeRTSrchJobsQuota = 100
cumulativeSrchJobsQuota = 50
get_metadata = enabled
get_typeahead = enabled
input_file = enabled
list_inputs = enabled
output_file = enabled
pattern_detect = enabled
request_remote_tok = enabled
rest_apps_view = enabled
rest_properties_get = enabled
rest_properties_set = enabled
rtSrchJobsQuota = 6
search = enabled
srchDiskQuota = 100
srchFilterSelecting = true
srchIndexesAllowed = *
srchIndexesDefault = main
srchJobsQuota = 3
srchMaxTime = 100days

You can append --debug to see what conf files each line comes from. Note this is by role, not user. But as long as you know what role(s) the user has, you can use this.

Another option is to use the REST endpoints to enumerate a role and it's consolidated capabilities. (In case it inherits from another role) This can be accessed via the search UI.

| rest /services/authorization/roles
0 Karma

bmacias84
Champion

That does not answer the question of users who are apart of multiple roles. Yes if they are a part of one role I could just use btool with debug after using the rest command. I want to know know the final layering of permission of users who are apart of two or more roles, NOT inherited roles.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...