Looking to audit user accounts on a number of Splunk systems, but I don't want to have to have admin level permissions to do this. Looking for a capability that is built in that I can use to create a role that will then allow me to list user accounts without having the ability to modify or delete them. Has anyone done this before? I know there is a capability called "edit_user" but I was hoping for one called "list_user".
http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Rolesandcapabilities
Look at capability capability::rest_properties_get and capability::rest_properties_set. I guess if you create a capability same as "user" role minus the capability::rest_properties_set, it should allow only read access to REST API Endpoints. (haven't tried).
As somesoni said already,
I would also point you at capabilities like
rest_....
or
list_....
Additionally I can provide you with a search that will help you list the current users and their capabilities:
| rest /services/authentication/users splunk_server=* | dedup title | fields title roles | rename title AS User roles AS Role
I already have a search that will do this. Unfortunately the answer he had won't work. Those capabilities are for a different REST endpoint.
Why wouldn't it work? You can specify different rest endpoints using the splunk_server=....
The other endpoint just needs to be in the distributed search config.
According to: http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Rolesandcapabilities
The capabilities rest_properties_set and rest_properties_get are used for the services/properties endpoint.
Unfortunately that wouldn't work. Those capabilities are for the /services/properties. I'm looking to hit the /services/authentication/ endpoint.