Security

Splunk Search that returns ALL the user ROLES assigned to all the specific INDEXes

rdelmark
Explorer

I am looking to run a search that provides a complete list of user roles assigned to each and every index so I can do an audit of who has access to which indexes. I know i can do this manually by reviewing every index but I am looking for a faster way to do it.

Tags (2)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Give this a try:

| rest /services/authorization/roles | table title srchIndexesAllowed

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

On the similar line, but more detailed Index-Role-User mapping

| rest /services/data/indexes | table title | rename title as index_name | eval joinfield=if(substr(index_name,1,1)="_","I","NI") 
| join type=left max=0 joinfield [| rest /services/authorization/roles | table title srchIndexesAllowed | rename title as Role 
| mvexpand srchIndexesAllowed | dedup Role, srchIndexesAllowed| eval joinfield=if(substr(srchIndexesAllowed,1,1)="_","I","NI") 
| rex field=srchIndexesAllowed  mode=sed "s/[*]/%/g"] | where like(index_name,srchIndexesAllowed) | table index_name, Role
| join type=left max=0 Role [| rest /services/authentication/users | table title , roles | mvexpand roles | rename title as User, roles as Role]

Sample output:

index_name          Role    User
---------------------------------
_audit          admin   admin
_blocksignature     admin   admin
_internal           admin   admin
_thefishbucket  admin   admin
history             admin   admin
history             power    
history             user     
main            admin   admin
main            dummy   dummy 

Blank User column means not user have been assigned that role.

chris
Motivator

Thank you.

0 Karma

kalraj3
Engager

This was very useful

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Give this a try:

| rest /services/authorization/roles | table title srchIndexesAllowed

rdelmark
Explorer

This is great, thank-you it works very well.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...