Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Search that returns ALL the user ROLES assigned to all the specific INDEXes

rdelmark
Explorer
‎01-14-2014 09:55 AM

I am looking to run a search that provides a complete list of user roles assigned to each and every index so I can do an audit of who has access to which indexes. I know i can do this manually by reviewing every index but I am looking for a faster way to do it.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-14-2014 10:31 AM

Give this a try:

| rest /services/authorization/roles | table title srchIndexesAllowed

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-14-2014 01:07 PM

On the similar line, but more detailed Index-Role-User mapping

| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI") 
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role 
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI") 
| rex field=srchIndexesAllowed  mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title , roles | mvexpand roles | rename title as User, roles as Role]

Sample output:

index_name          Role    User
---------------------------------
_audit          admin   admin
_blocksignature     admin   admin
_internal           admin   admin
_thefishbucket  admin   admin
history             admin   admin
history             power    
history             user     
main            admin   admin
main            dummy   dummy

Blank User column means not user have been assigned that role.

Reply
Solved! Jump to solution

chris
Motivator
‎11-01-2016 12:29 AM

Thank you.

0 Karma
Reply
Solved! Jump to solution

kalraj3
Engager
‎12-14-2016 07:09 AM

This was very useful

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-14-2014 10:31 AM

Give this a try:

| rest /services/authorization/roles | table title srchIndexesAllowed
Reply
Solved! Jump to solution

rdelmark
Explorer
‎01-14-2014 12:55 PM

This is great, thank-you it works very well.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...