Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to see all the role permissions assigned to each index?

rbrisseyii
Explorer
‎11-06-2018 07:19 AM

I would like to see what role has access to each index without clicking through each role. Is there a search that can do this for me, or some other way to see all the roles assigned to each index?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎11-06-2018 02:29 PM

I've added these to my app Alerts for SplunkAdmins:
SearchHeadLevel - Role access list by user
SearchHeadLevel - Index access list by user

Or github if you want just the searches

The only tweak to the accepted answer you might want to do is:

| rest /services/authorization/roles splunk_server="local" 
| table title, srchIndexesAllowed, srchIndexesDefault, imported_srchIndexesAllowed, imported_srchIndexesDefault
| rename title as roles
-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

Reply
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎11-06-2018 02:29 PM

I've added these to my app Alerts for SplunkAdmins:
SearchHeadLevel - Role access list by user
SearchHeadLevel - Index access list by user

Or github if you want just the searches

The only tweak to the accepted answer you might want to do is:

| rest /services/authorization/roles splunk_server="local" 
| table title, srchIndexesAllowed, srchIndexesDefault, imported_srchIndexesAllowed, imported_srchIndexesDefault
| rename title as roles
-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎11-06-2018 08:49 AM

Give this a try,

| rest /services/authorization/roles | table title srchIndexesAllowed

Use this if you're using search head clustering,

| rest /services/authorization/roles splunk_server=SHC_Captain | table title srchIndexesAllowed
Reply
Solved! Jump to solution

rbrisseyii
Explorer
‎11-06-2018 09:07 AM

Thanks, that worked great!

0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎11-06-2018 09:30 AM

Glad it worked for you. Can you accept the answer to close this thread. Thx!

0 Karma
Reply
Get Updates on the Splunk Community!

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...