I have this search provided by @somesoni2. I making a simple change to it so it provides a list of indexes that a user has access to. In order to do this you must search via REST the user, role, and indexes data.
| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI")
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI")
| rex field=srchIndexesAllowed mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title, roles | mvexpand roles | rename title as User, roles as Role] | dedup index_name | table index_name
In the last REST subsearch | rest /services/authentication/users all i'm trying to do is add *| rest /services/authentication/users | search title="a name goes here" **. By putting a name in I just want to get back a single user. I'm building a dashboard that will allow a user to query what index a user can access based on their roles. If I pull out this subsearch and run separately it works just fine.