Hello Guys,
Can someone help me with a search to list the roles and their capabilities in a Splunk environment?
Hello,
here is a solution for the roles and users from always awesome user "somesoni2"
https://answers.splunk.com/answers/127844/how-can-i-generate-a-list-of-users-and-assigned-roles.html
and with the roles and capabilities thing you are not far off searching with this command:
| rest /services/authorization/roles
used those myself in the past to get reports about that
Dashboard which will list and compare role capabilities. (XML code below)
<form hideFilters="true">
<label>Role Capabilities</label>
<description>(select roles and capabilities to compare)</description>
<fieldset submitButton="false">
<input type="checkbox" token="role" searchWhenChanged="true">
<label>Roles</label>
<fieldForLabel>role</fieldForLabel>
<fieldForValue>role</fieldForValue>
<search>
<query>| rest /services/authentication/users splunk_server=local
| table roles
| mvexpand roles
| dedup roles
| table roles
| sort roles
| rename roles as role</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>role="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<choice value="*">All</choice>
<default>admin,power,sc_admin,user</default>
</input>
<input type="dropdown" token="capability_group" searchWhenChanged="true">
<label>Capability Group</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>capability_group="</prefix>
<suffix>"</suffix>
<fieldForLabel>capability_group</fieldForLabel>
<fieldForValue>capability_group</fieldForValue>
<search>
<query>| rest /services/authorization/roles splunk_server=local
| table capabilities
| mvexpand capabilities
| dedup capabilities
| sort capabilities
| rex field=capabilities "^(?<capability_group>[^_]+)"
| table capability_group
| dedup capability_group</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="capabilities" searchWhenChanged="true">
<label>Capabilities</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>capabilities="</prefix>
<suffix>"</suffix>
<fieldForLabel>capabilities</fieldForLabel>
<fieldForValue>capabilities</fieldForValue>
<search>
<query>| rest /services/authorization/roles splunk_server=local
| table capabilities
| mvexpand capabilities
| dedup capabilities
| sort capabilities</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<title>Capabilities by Role</title>
<table>
<search>
<query>| rest /services/authorization/roles splunk_server=local
| table capabilities
| dedup capabilities
| sort capabilities
| eval role="Capabilities List"
| table capabilities
| stats count by role capabilities
| appendcols
[| rest /services/authorization/roles
| table title capabilities
| dedup title
| rename title as role
| table role capabilities
| stats count by role capabilities]
| eval _time=now()
| search $role$
| stats count(eval(capabilities="accelerate_datamodel")) as accelerate_datamodel count(eval(capabilities="accelerate_search")) as accelerate_search count(eval(capabilities="admin_all_objects")) as admin_all_objects count(eval(capabilities="change_authentication")) as change_authentication count(eval(capabilities="change_own_password")) as change_own_password count(eval(capabilities="delete_by_keyword")) as delete_by_keyword count(eval(capabilities="dispatch_rest_to_indexers")) as dispatch_rest_to_indexers count(eval(capabilities="dmc_deploy_apps")) as dmc_deploy_apps count(eval(capabilities="dmc_deploy_token_http")) as dmc_deploy_token_http count(eval(capabilities="edit_cmd")) as edit_cmd count(eval(capabilities="edit_deployment_client")) as edit_deployment_client count(eval(capabilities="edit_deployment_server")) as edit_deployment_server count(eval(capabilities="edit_dist_peer")) as edit_dist_peer count(eval(capabilities="edit_encryption_key_provider")) as edit_encryption_key_provider count(eval(capabilities="edit_forwarders")) as edit_forwarders count(eval(capabilities="edit_httpauths")) as edit_httpauths count(eval(capabilities="edit_indexer_cluster")) as edit_indexer_cluster count(eval(capabilities="edit_indexerdiscovery")) as edit_indexerdiscovery count(eval(capabilities="edit_input_defaults")) as edit_input_defaults count(eval(capabilities="edit_local_apps")) as edit_local_apps count(eval(capabilities="edit_monitor")) as edit_monitor count(eval(capabilities="edit_restmap")) as edit_restmap count(eval(capabilities="edit_roles")) as edit_roles count(eval(capabilities="edit_roles_grantable")) as edit_roles_grantable count(eval(capabilities="edit_scripted")) as edit_scripted count(eval(capabilities="edit_search_head_clustering")) as edit_search_head_clustering count(eval(capabilities="edit_search_schedule_priority")) as edit_search_schedule_priority count(eval(capabilities="edit_search_schedule_window")) as edit_search_schedule_window count(eval(capabilities="edit_search_scheduler")) as edit_search_scheduler count(eval(capabilities="edit_search_server")) as edit_search_server count(eval(capabilities="edit_server")) as edit_server count(eval(capabilities="edit_server_crl")) as edit_server_crl count(eval(capabilities="edit_sourcetypes")) as edit_sourcetypes count(eval(capabilities="edit_splunktcp")) as edit_splunktcp count(eval(capabilities="edit_splunktcp_ssl")) as edit_splunktcp_ssl count(eval(capabilities="edit_splunktcp_token")) as edit_splunktcp_token count(eval(capabilities="edit_statsd_transforms")) as edit_statsd_transforms count(eval(capabilities="edit_tcp")) as edit_tcp count(eval(capabilities="edit_tcp_stream")) as edit_tcp_stream count(eval(capabilities="edit_telemetry_settings")) as edit_telemetry_settings count(eval(capabilities="edit_token_http")) as edit_token_http count(eval(capabilities="edit_udp")) as edit_udp count(eval(capabilities="edit_upload_and_index")) as edit_upload_and_index count(eval(capabilities="edit_user")) as edit_user count(eval(capabilities="edit_view_html")) as edit_view_html count(eval(capabilities="edit_web_settings")) as edit_web_settings count(eval(capabilities="embed_report")) as embed_report count(eval(capabilities="export_results_is_visible")) as export_results_is_visible count(eval(capabilities="get_diag")) as get_diag count(eval(capabilities="get_metadata")) as get_metadata count(eval(capabilities="get_typeahead")) as get_typeahead count(eval(capabilities="indexes_edit")) as indexes_edit count(eval(capabilities="indexes_list_all")) as indexes_list_all count(eval(capabilities="input_file")) as input_file count(eval(capabilities="license_edit")) as license_edit count(eval(capabilities="license_tab")) as license_tab count(eval(capabilities="license_view_warnings")) as license_view_warnings count(eval(capabilities="list_deployment_client")) as list_deployment_client count(eval(capabilities="list_deployment_server")) as list_deployment_server count(eval(capabilities="list_forwarders")) as list_forwarders count(eval(capabilities="list_httpauths")) as list_httpauths count(eval(capabilities="list_indexer_cluster")) as list_indexer_cluster count(eval(capabilities="list_indexerdiscovery")) as list_indexerdiscovery count(eval(capabilities="list_inputs")) as list_inputs count(eval(capabilities="list_introspection")) as list_introspection count(eval(capabilities="list_metrics_catalog")) as list_metrics_catalog count(eval(capabilities="list_search_head_clustering")) as list_search_head_clustering count(eval(capabilities="list_search_scheduler")) as list_search_scheduler count(eval(capabilities="list_settings")) as list_settings count(eval(capabilities="list_storage_passwords")) as list_storage_passwords count(eval(capabilities="output_file")) as output_file count(eval(capabilities="pattern_detect")) as pattern_detect count(eval(capabilities="refresh_application_licenses")) as refresh_application_licenses count(eval(capabilities="request_remote_tok")) as request_remote_tok count(eval(capabilities="rest_apps_management")) as rest_apps_management count(eval(capabilities="rest_apps_view")) as rest_apps_view count(eval(capabilities="rest_properties_get")) as rest_properties_get count(eval(capabilities="rest_properties_set")) as rest_properties_set count(eval(capabilities="restart_reason")) as restart_reason count(eval(capabilities="restart_splunkd")) as restart_splunkd count(eval(capabilities="rtsearch")) as rtsearch count(eval(capabilities="run_debug_commands")) as run_debug_commands count(eval(capabilities="schedule_rtsearch")) as schedule_rtsearch count(eval(capabilities="schedule_search")) as schedule_search count(eval(capabilities="search")) as search count(eval(capabilities="search_process_config_refresh")) as search_process_config_refresh count(eval(capabilities="web_debug")) as web_debug by role
| transpose 1000 column_name=capabilities header_field=role
| rex field=capabilities "^(?<capability_group>[^_]+)"
| search $capabilities$ $capability_group$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
<format type="color" field="admin">
<colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
</format>
<format type="color" field="apps">
<colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
</format>
<format type="color" field="capability_group">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="power">
<colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
</format>
<format type="color" field="sc_admin">
<colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
</format>
<format type="color" field="user">
<colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
</format>
<format type="number" field="internal_automation_role">
<option name="precision">0</option>
</format>
<format type="color" field="internal_automation_role">
<colorPalette type="map">{"0":#555555,"1":#A2CC3E}</colorPalette>
</format>
</table>
</panel>
</row>
</form>
This is an awesome app for that:
@ jkat54 : It would not let me download the app.. can you please check...
Hello,
here is a solution for the roles and users from always awesome user "somesoni2"
https://answers.splunk.com/answers/127844/how-can-i-generate-a-list-of-users-and-assigned-roles.html
and with the roles and capabilities thing you are not far off searching with this command:
| rest /services/authorization/roles
used those myself in the past to get reports about that