Security

How to Display whether a user has access to an index

SevenDos
Explorer

Hi!

We are using a dashboard that displays all the indexes and information about those indexes. I would like to have an additional column. The current search uses this:

 

 

| inputlookup name_of_the_lookup
| search index=* (index=***)
| sort by index
| table index, field_A, field_B, field_C, field_D, field_E, field_F, field_G, field_H, field_I, field_J, field_K

 

 

What I want to have is an additional column named 'Access',  that says whether it's true or false if the user currently watching that Dashboard has access to that Index. Is there a search that would do this?

Labels (1)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @SevenDos,

using this search you can see all information about an index:

| rest /services/data/indexes count=0 
| table title eai:acl.perms.read eai:acl.perms.write

than you have to correlate these information with the present user

| rest /services/authentication/current-context 
| table username roles

At the end, you should have something like this:

| rest /services/data/indexes count=0 | table title eai:acl.perms.read eai:acl.perms.write
| rename eai:acl.perms.write AS roles
| mvexpand roles
| join roles [ | rest /services/authentication/current-context 
| mvexpand roles
| table username roles ]

I didn't displayed all the fields, you can add the fields you need.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @SevenDos,

using this search you can see all information about an index:

| rest /services/data/indexes count=0 
| table title eai:acl.perms.read eai:acl.perms.write

than you have to correlate these information with the present user

| rest /services/authentication/current-context 
| table username roles

At the end, you should have something like this:

| rest /services/data/indexes count=0 | table title eai:acl.perms.read eai:acl.perms.write
| rename eai:acl.perms.write AS roles
| mvexpand roles
| join roles [ | rest /services/authentication/current-context 
| mvexpand roles
| table username roles ]

I didn't displayed all the fields, you can add the fields you need.

Ciao.

Giuseppe

SevenDos
Explorer

Ah great, so I could do:

| rest /services/data/indexes count=0 | table title eai:acl.perms.write
| rename eai:acl.perms.write AS Access title as index
| mvexpand Access
| join roles [ | rest /services/authentication/current-context 
| mvexpand roles
| table Access ]
| eval Access=if(like(Access, "admin"), "true", "false")
| dedup index

 ?

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...