Security
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Search that returns ALL the user ROLES assigned to all the specific INDEXes

rdelmark
Explorer
‎01-14-2014 09:55 AM

I am looking to run a search that provides a complete list of user roles assigned to each and every index so I can do an audit of who has access to which indexes. I know i can do this manually by reviewing every index but I am looking for a faster way to do it.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-14-2014 10:31 AM

Give this a try:

| rest /services/authorization/roles | table title srchIndexesAllowed

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-14-2014 01:07 PM

On the similar line, but more detailed Index-Role-User mapping

| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI") 
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role 
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI") 
| rex field=srchIndexesAllowed  mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title , roles | mvexpand roles | rename title as User, roles as Role]

Sample output:

index_name          Role    User
---------------------------------
_audit          admin   admin
_blocksignature     admin   admin
_internal           admin   admin
_thefishbucket  admin   admin
history             admin   admin
history             power    
history             user     
main            admin   admin
main            dummy   dummy

Blank User column means not user have been assigned that role.

Reply
Solved! Jump to solution

chris
Motivator
‎11-01-2016 12:29 AM

Thank you.

0 Karma
Reply
Solved! Jump to solution

kalraj3
Engager
‎12-14-2016 07:09 AM

This was very useful

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-14-2014 10:31 AM

Give this a try:

| rest /services/authorization/roles | table title srchIndexesAllowed
Reply
Solved! Jump to solution

rdelmark
Explorer
‎01-14-2014 12:55 PM

This is great, thank-you it works very well.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top