is there a way to search who has access to an index without having to dig thru the access controls, roles and users?
Thank you
Not sure if this is what you're looking for. Below query gives the mapping of index with role which has access.
| rest /services/authorization/roles splunk_server=local | table title srchInd* | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) | table title indexes | mvexpand indexes | dedup title indexes | eval indexes_orig=indexes | join indexes max=0 type=left [| rest /services/data/indexes | stats count by title | table title| eval indexes=if(match(title,"^_"),"_*","*") | rename title as indexes_new]| eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig)
This query extends the above solution and adds the users as well, so you get user, corresponding role and accessible indexes.
| rest /services/authentication/users splunk_server=local | table title roles | rename title as user | rename roles as title | mvexpand title | join type=left max=0 title [| rest /services/authorization/roles splunk_server=local | table title srchInd* | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) | table title indexes | mvexpand indexes | dedup title indexes | eval indexes_orig=indexes | join indexes max=0 type=left [| rest /services/data/indexes | stats count by title | table title| eval indexes=if(match(title,"^_"),"_*","*") | rename title as indexes_new]| eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig) | table title indexes]
Not sure if this is what you're looking for. Below query gives the mapping of index with role which has access.
| rest /services/authorization/roles splunk_server=local | table title srchInd* | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) | table title indexes | mvexpand indexes | dedup title indexes | eval indexes_orig=indexes | join indexes max=0 type=left [| rest /services/data/indexes | stats count by title | table title| eval indexes=if(match(title,"^_"),"_*","*") | rename title as indexes_new]| eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig)
This query extends the above solution and adds the users as well, so you get user, corresponding role and accessible indexes.
| rest /services/authentication/users splunk_server=local | table title roles | rename title as user | rename roles as title | mvexpand title | join type=left max=0 title [| rest /services/authorization/roles splunk_server=local | table title srchInd* | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) | table title indexes | mvexpand indexes | dedup title indexes | eval indexes_orig=indexes | join indexes max=0 type=left [| rest /services/data/indexes | stats count by title | table title| eval indexes=if(match(title,"^_"),"_*","*") | rename title as indexes_new]| eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig) | table title indexes]
Thank you!
Wow thats a clever search, thank you