Give this a try:
| rest /services/authorization/roles | table title srchIndexesAllowed
On the similar line, but more detailed Index-Role-User mapping
| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI") | join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role | mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI") | rex field=srchIndexesAllowed mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role | join type=left max=0 Role [| rest /services/authentication/users | table title , roles | mvexpand roles | rename title as User, roles as Role]
index_name Role User --------------------------------- _audit admin admin _blocksignature admin admin _internal admin admin _thefishbucket admin admin history admin admin history power history user main admin admin main dummy dummy
Blank User column means not user have been assigned that role.