Looking to audit user accounts on a number of Splunk systems, but I don't want to have to have admin level permissions to do this. Looking for a capability that is built in that I can use to create a role that will then allow me to list user accounts without having the ability to modify or delete them. Has anyone done this before? I know there is a capability called "edit_user" but I was hoping for one called "list_user".
Look at capability capability::rest_properties_get and capability::rest_properties_set. I guess if you create a capability same as "user" role minus the capability::rest_properties_set, it should allow only read access to REST API Endpoints. (haven't tried).
As somesoni said already,
I would also point you at capabilities like
Additionally I can provide you with a search that will help you list the current users and their capabilities:
| rest /services/authentication/users splunk_server=* | dedup title | fields title roles | rename title AS User roles AS Role
The capabilities rest_properties_set and rest_properties_get are used for the services/properties endpoint.