Security

Splunk Search that returns ALL the user ROLES assigned to all the specific INDEXes

Explorer

I am looking to run a search that provides a complete list of user roles assigned to each and every index so I can do an audit of who has access to which indexes. I know i can do this manually by reviewing every index but I am looking for a faster way to do it.

Tags (2)
1 Solution

SplunkTrust
SplunkTrust

Give this a try:

| rest /services/authorization/roles | table title srchIndexesAllowed

View solution in original post

SplunkTrust
SplunkTrust

On the similar line, but more detailed Index-Role-User mapping

| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI") 
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role 
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI") 
| rex field=srchIndexesAllowed  mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title , roles | mvexpand roles | rename title as User, roles as Role]

Sample output:

index_name          Role    User
---------------------------------
_audit          admin   admin
_blocksignature     admin   admin
_internal           admin   admin
_thefishbucket  admin   admin
history             admin   admin
history             power    
history             user     
main            admin   admin
main            dummy   dummy 

Blank User column means not user have been assigned that role.

Motivator

Thank you.

0 Karma

Engager

This was very useful

0 Karma

SplunkTrust
SplunkTrust

Give this a try:

| rest /services/authorization/roles | table title srchIndexesAllowed

View solution in original post

Explorer

This is great, thank-you it works very well.

0 Karma