Security

List each user and their assigned roles and indexes assigned by roles

Contributor

We have about 1000+ users in our Splunk environment and we are getting ready for an audit. Specifically, we are reviewing the user access privileges to the data in Splunk. Is there a report or query that will show us this:

User Roles Indexes
user1 role1 idx1, idx2, idx3, idx4
user1 role2 idx10, idx11
user1 role3 idx22
user2 role1 idx1,idx2, idx3, idx4
user2 role4 idx23

Thank you

Tags (3)
0 Karma

Contributor
0 Karma

Builder

If you are logged in as an admin, I believe this will return the data you require:

| rest "services/authentication/users"
| dedup title
| table title roles capabilities author eai:acl.perms.read  eai:acl.perms.write email

If that works I'll convert this to an answer, if not let me know. The eai.acl.perms.read should be a list of the indexes they can view.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma

Contributor

It does not answer the question re: index...thx though.

I just found one by somesoni2... good stuff. the answer can be found at:

https://answers.splunk.com/answers/118581/splunk-search-that-returns-all-the-user-roles-assigned-to-...

0 Karma