Security

Effective permission for user in multiple roles

msplunk33
Path Finder

I have users in multiple roles. Some role have higher permission and with access to a list of indexes. How can I view the effective permission for this user. Will user have the least privilege role or the highest privilege role.

Labels (1)
Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust
You can query those roles by rest. There should be several answers already present on community. If you couldn’t found suitable I could present our dashboard later on, when I have my laptop on my hand.
All roles have merged together and in the end result user will given the highest capability and access to indexes.
r. Ismo
0 Karma

msplunk33
Path Finder

@isoutamo 

Yes I got some rest query. Just be curious is the dashboard you mentioned here is a custom developed or any app available?

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
I’m not sure if there is also app for that, but this is a homemade based on others example queries.
r. Ismo
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Here is a one part of out dashboard which shows allowed indexes.

    <panel>
      <title>Indexes what the user is allowed to search. Also which group grants which index</title>
      <table>
        <search>
          <query>| rest /services/authentication/users splunk_server=<local or list of SH's which are peer for your MC node>
| search title!=admin | table title roles | rename title as user | rename roles as title | search user=$username$ | mvexpand title  
| join type=left max=0 title [| rest /services/authorization/roles splunk_server=<local or selction of your MC's peers>| table title srchInd* | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) | table title indexes | mvexpand indexes | dedup title indexes | eval indexes_orig=indexes | join indexes max=0 type=left [| rest /services/data/indexes | stats count by title | table title| eval indexes=if(match(title,"^_"),"_*","*") | rename title as indexes_new]|  eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig) | table title indexes] |rename user as Username title as Group indexes as Index
| dedup Index</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">15</option>
        <option name="drilldown">none</option>
        <option name="link.visible">0</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>

 

I think that we have found (at least) the base idea from previous answers, couldn't recall who is the real originator?

r. Ismo 

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...