List each user and their assigned roles and indexe...

brdr · ‎05-08-2019

We have about 1000+ users in our Splunk environment and we are getting ready for an audit. Specifically, we are reviewing the user access privileges to the data in Splunk. Is there a report or query that will show us this:

User Roles Indexes
user1 role1 idx1, idx2, idx3, idx4
user1 role2 idx10, idx11
user1 role3 idx22
user2 role1 idx1,idx2, idx3, idx4
user2 role4 idx23

Thank you

brdr · ‎05-09-2019

answer is here:
https://answers.splunk.com/answers/118581/splunk-search-that-returns-all-the-user-roles-assigned-to-...

dmarling · ‎05-08-2019

If you are logged in as an admin, I believe this will return the data you require:

| rest "services/authentication/users"
| dedup title
| table title roles capabilities author eai:acl.perms.read  eai:acl.perms.write email

If that works I'll convert this to an answer, if not let me know. The eai.acl.perms.read should be a list of the indexes they can view.

If this comment/answer was helpful, please up vote it. Thank you.

brdr · ‎05-09-2019

It does not answer the question re: index...thx though.

I just found one by somesoni2... good stuff. the answer can be found at:

https://answers.splunk.com/answers/118581/splunk-search-that-returns-all-the-user-roles-assigned-to-...

List each user and their assigned roles and indexes assigned by roles

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)