Splunk Objects With Permissions Granted to Non-existent Roles

Useful search to show a bit of detail on roles and user permissions.

| rest /servicesNS/-/-/admin/directory count=0 splunk_server=local
 | fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, eai:location, title
 | eval perms=mvappend('eai:acl.perms.read','eai:acl.perms.write')
 | fields - eai:acl.perms.*
 | mvexpand perms
 | where perms!="*" AND NOT
 [
 | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
 | fields title
 | rename title as perms
 ]

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376
Credit goes to acharlieh!

Share This:

Leave A Comment?