Give this a try:
| rest /services/authorization/roles | table title srchIndexesAllowed
On the similar line, but more detailed Index-Role-User mapping
| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI")
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI")
| rex field=srchIndexesAllowed mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title , roles | mvexpand roles | rename title as User, roles as Role]
Sample output:
index_name Role User
---------------------------------
_audit admin admin
_blocksignature admin admin
_internal admin admin
_thefishbucket admin admin
history admin admin
history power
history user
main admin admin
main dummy dummy
Blank User column means not user have been assigned that role.
Thank you.
This was very useful
Give this a try:
| rest /services/authorization/roles | table title srchIndexesAllowed
This is great, thank-you it works very well.