Security

Splunk Search that returns ALL the user ROLES assigned to all the specific INDEXes

rdelmark
Explorer

I am looking to run a search that provides a complete list of user roles assigned to each and every index so I can do an audit of who has access to which indexes. I know i can do this manually by reviewing every index but I am looking for a faster way to do it.

Tags (2)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Give this a try:

| rest /services/authorization/roles | table title srchIndexesAllowed

View solution in original post

somesoni2
Revered Legend

On the similar line, but more detailed Index-Role-User mapping

| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI") 
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role 
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI") 
| rex field=srchIndexesAllowed  mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title , roles | mvexpand roles | rename title as User, roles as Role]

Sample output:

index_name          Role    User
---------------------------------
_audit          admin   admin
_blocksignature     admin   admin
_internal           admin   admin
_thefishbucket  admin   admin
history             admin   admin
history             power    
history             user     
main            admin   admin
main            dummy   dummy 

Blank User column means not user have been assigned that role.

chris
Motivator

Thank you.

0 Karma

kalraj3
Engager

This was very useful

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Give this a try:

| rest /services/authorization/roles | table title srchIndexesAllowed

rdelmark
Explorer

This is great, thank-you it works very well.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...