Quick glance into who’s who in the zoo for users, capabilities, roles, and what indexes are searchable. Also calls out users with can_delete capabilities.
Mileage may vary, please comment if there are any issues!
<dashboard version="1.1"> <label>Splunk Insights - Users and Roles</label> <row> <panel> <title>Number of Roles</title> <single> <title>Click to Expand</title> <search> <query>| rest splunk_server=local /services/authorization/roles | stats dc(title) as "Number of Roles"</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x1182f3","0x1182f3"]</option> <option name="rangeValues">[0]</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="listRoles">listRoles</set> <unset token="listUsers">listUsers</unset> <unset token="canDel">canDel</unset> </drilldown> </single> </panel> <panel> <title>Number of Users</title> <single> <title>Click to Expand</title> <search> <query>| rest splunk_server=local /services/authentication/users | stats dc(title) as "Number of Users"</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x555","0x555"]</option> <option name="rangeValues">[0]</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="listUsers">listUsers</set> <unset token="listRoles">listRoles</unset> <unset token="canDel">canDel</unset> </drilldown> </single> </panel> <panel> <title>Users with Can Delete "can_delete" capabilities</title> <single> <title>Click to Expand</title> <search> <query>| rest splunk_server=local /services/authentication/users | search roles="can_delete" | stats dc(title) as "Users with can_delete"</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0xd94e17","0xd94e17"]</option> <option name="rangeValues">[0]</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="canDel">canDel</set> <unset token="listRoles">listRoles</unset> <unset token="listUsers">listUsers</unset> </drilldown> </single> </panel> </row> <row> <panel depends="$canDel$"> <table> <title>Users with can_delete</title> <search> <query>| rest splunk_server=local /services/authentication/users | search roles="can_delete" | table realname title roles</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row> <panel depends="$listUsers$"> <title>User Permissions and Capabilities Breakdown</title> <table> <search> <query>| rest splunk_server=local /services/authentication/users | rename title as username | mvexpand roles | table realname, username, roles, email | join type=outer roles [ rest splunk_server=local /services/authorization/roles | rename title as roles | eval ir=imported_roles | search srchIndexesAllowed=* | fields roles imported_roles ir srchIndexesAllowed srchIndexesDefault | mvexpand ir] | foreach srchIndexesAllowed [ eval srchIndexesAllowed=replace(<<FIELD>>,"^_\*$$","[all internal indexes];") | eval srchIndexesAllowed=replace(<<FIELD>>,"\*\s_\*","[all internal and non-internal indexes];") | eval srchIndexesAllowed=replace(<<FIELD>>,"\*\s","[all non-internal indexes];") | eval srchIndexesAllowed=replace(<<FIELD>>,"\*$$","[all non-internal indexes];") ] | foreach srchIndexesDefault [ eval srchIndexesDefault=replace(<<FIELD>>,"_\*","[all internal indexes];") | eval srchIndexesDefault=replace(<<FIELD>>,"\*\s_\*","[all internal and non-internal indexes];") | eval srchIndexesDefault=replace(<<FIELD>>,"\*\s","[all non-internal indexes];") | eval srchIndexesDefault=replace(<<FIELD>>,"\*$$","[all non-internal indexes];") ] | join type=outer ir [| rest splunk_server=local /services/authorization/roles | fields - imported_roles | rename title as ir | mvexpand srchIndexesAllowed | eval inheritedAllowed=if(idxtype=="Invalid","",srchIndexesAllowed." (by ".ir.");") | stats values(inheritedAllowed) as inheritedAllowed by ir ] | fields - ir, splunk_server | makemv allowempty=t inheritedAllowed delim=";" | makemv allowempty=t srchIndexesAllowed delim=";" | makemv allowempty=t srchIndexesDefault delim=";" | stats values(roles) as roles values(email) as email values(imported_roles) as imported_roles values(inheritedAllowed) as inheritedAllowed values(srchIndexesAllowed) as srchIndexesAllowed values(srchIndexesDefault) as srchIndexesDefault by username | rename srchIndexesDefault TO "Searched by default", srchIndexesAllowed TO "AllowedIndexes by Role", inheritedAllowed TO "AllowedIndexes by Inheritance", imported_roles TO "Inherited Roles"</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="role"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> <format type="color" field="username"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> </table> </panel> <panel depends="$listRoles$"> <title>All Roles and Capabilities</title> <table> <search> <query>| rest splunk_server=local /services/authorization/roles | fields title capabilities imported_roles srchIndexesAllowed srchIndexesDefault | rename title as role</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="role"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> </table> </panel> </row> </dashboard>
