List permissions for Users, roles, allowed indexes and indexes searched by default

Ok that one is a big one so be prepared ;)

The following will (on a SH / SH Cluster):

  • list all users and their roles
  • list inherited roles
  • list all indexes allowed by the shown roles
  • list all indexes allowed for inherited roles (one level!)
  • inherited allowed indexes will show the originator (which inherited role allowed an index)
  • list the default searched indexes
  • rename * and _* to meaningful names

To clarify inherited results:

  • Inheritance for allowed Indexes are shown only up to ONE level
    (role -> inherited roles) but *not* more (so NOT: role -> inherited roles -> inherited roles)

ok now here it comes:

| rest splunk_server=local /services/authentication/users | rename title as username | mvexpand roles | table realname, username, roles, email 
| join type=outer roles [ rest splunk_server=local /services/authorization/roles | rename title as roles | eval ir=imported_roles | search srchIndexesAllowed=* | fields roles imported_roles ir srchIndexesAllowed srchIndexesDefault | mvexpand ir]
| foreach srchIndexesAllowed
[ eval srchIndexesAllowed=replace(<<FIELD>>,"^_\*$","[all internal indexes];") 
| eval srchIndexesAllowed=replace(<<FIELD>>,"\*\s_\*","[all internal and non-internal indexes];")
| eval srchIndexesAllowed=replace(<<FIELD>>,"\*\s","[all non-internal indexes];")
| eval srchIndexesAllowed=replace(<<FIELD>>,"\*$","[all non-internal indexes];") 
]
| foreach srchIndexesDefault
[ eval srchIndexesDefault=replace(<<FIELD>>,"_\*","[all internal indexes];") 
| eval srchIndexesDefault=replace(<<FIELD>>,"\*\s_\*","[all internal and non-internal indexes];")
| eval srchIndexesDefault=replace(<<FIELD>>,"\*\s","[all non-internal indexes];") 
| eval srchIndexesDefault=replace(<<FIELD>>,"\*$","[all non-internal indexes];")
]
| join type=outer ir
[ | rest splunk_server=local /services/authorization/roles | fields - imported_roles
| rename title as ir
| mvexpand srchIndexesAllowed
| eval inheritedAllowed=if(idxtype=="Invalid","",srchIndexesAllowed." (by ".ir.");")
| stats values(inheritedAllowed) as inheritedAllowed by ir ]
| fields - ir, splunk_server
| makemv allowempty=t inheritedAllowed delim=";" 
| makemv allowempty=t srchIndexesAllowed delim=";"
| makemv allowempty=t srchIndexesDefault delim=";"
| rename srchIndexesDefault TO "Searched by default", srchIndexesAllowed TO "AllowedIndexes by Role", inheritedAllowed TO "AllowedIndexes by Inheritance", imported_roles TO "Inherited Roles"

You can modify the above (e.g. to add it to a dashboard with some inputs…):

  • username=”username of interest”
  • roles=”roles of interest”
  • splunk_server=local is used twice (first 2 lines) and can be changed to any peer the SH has access to (usually local is fine though)

 

Additionally a slightly modification of the above to identify bad practice user accounts which are allowed to search all non-internal indexes AND searching by default on those (so when no index= given):

 

| rest splunk_server=local /services/authentication/users | rename title as username | mvexpand roles | table realname, username, roles, email 
| join type=outer roles [ rest splunk_server=local /services/authorization/roles | rename title as roles | eval ir=imported_roles | search srchIndexesAllowed=* | fields roles imported_roles ir srchIndexesAllowed srchIndexesDefault | mvexpand ir]
| foreach srchIndexesAllowed
[ eval srchIndexesAllowed=replace(<<FIELD>>,"^_\*$","[all internal indexes];") 
| eval srchIndexesAllowed=replace(<<FIELD>>,"\*\s_\*","[all internal and non-internal indexes];")
| eval srchIndexesAllowed=replace(<<FIELD>>,"\*\s","[all non-internal indexes];")
| eval srchIndexesAllowed=replace(<<FIELD>>,"\*$","[all non-internal indexes];") 
]
| foreach srchIndexesDefault
[ eval srchIndexesDefault=replace(<<FIELD>>,"_\*","[all internal indexes];") 
| eval srchIndexesDefault=replace(<<FIELD>>,"\*\s_\*","[all internal and non-internal indexes];")
| eval srchIndexesDefault=replace(<<FIELD>>,"\*\s","[all non-internal indexes];") 
| eval srchIndexesDefault=replace(<<FIELD>>,"\*$","[all non-internal indexes];")
]
| join type=outer ir
[ | rest splunk_server=local /services/authorization/roles | fields - imported_roles
| rename title as ir
| mvexpand srchIndexesAllowed
| eval inheritedAllowed=if(idxtype=="Invalid","",srchIndexesAllowed." (by ".ir.");")
| stats values(inheritedAllowed) as inheritedAllowed by ir ]
| fields - ir, splunk_server
| makemv allowempty=t inheritedAllowed delim=";" 
| makemv allowempty=t srchIndexesAllowed delim=";"
| makemv allowempty=t srchIndexesDefault delim=";"
| search (srchIndexesDefault="[all internal and non-internal indexes]*" OR srchIndexesDefault="[all non-internal indexes]*") AND (srchIndexesAllowed="[all internal and non-internal indexes]*" OR srchIndexesAllowed="[all non-internal indexes]*")
| rename srchIndexesDefault TO "Searched by default", srchIndexesAllowed TO "AllowedIndexes by Role", inheritedAllowed TO "AllowedIndexes by Inheritance", imported_roles TO "Inherited Roles"

 

Share This:

Comments

  1. Mike Anderson

    So I want to use this for other fields like capabilities & quotas and such. the if(idxtype=”invalid”…) isn’t working, how would I do this?

Leave A Comment?