Ok that one is a big one so be prepared ;)
The following will (on a SH / SH Cluster):
- list all users and their roles
- list inherited roles
- list all indexes allowed by the shown roles
- list all indexes allowed for inherited roles (one level!)
- inherited allowed indexes will show the originator (which inherited role allowed an index)
- list the default searched indexes
- rename * and _* to meaningful names
To clarify inherited results:
- Inheritance for allowed Indexes are shown only up to ONE level
(role -> inherited roles) but *not* more (so NOT: role -> inherited roles -> inherited roles)
ok now here it comes:
| rest splunk_server=local /services/authentication/users | rename title as username | mvexpand roles | table realname, username, roles, email | join type=outer roles [ rest splunk_server=local /services/authorization/roles | rename title as roles | eval ir=imported_roles | search srchIndexesAllowed=* | fields roles imported_roles ir srchIndexesAllowed srchIndexesDefault | mvexpand ir] | foreach srchIndexesAllowed [ eval srchIndexesAllowed=replace(<<FIELD>>,"^_\*$","[all internal indexes];") | eval srchIndexesAllowed=replace(<<FIELD>>,"\*\s_\*","[all internal and non-internal indexes];") | eval srchIndexesAllowed=replace(<<FIELD>>,"\*\s","[all non-internal indexes];") | eval srchIndexesAllowed=replace(<<FIELD>>,"\*$","[all non-internal indexes];") ] | foreach srchIndexesDefault [ eval srchIndexesDefault=replace(<<FIELD>>,"_\*","[all internal indexes];") | eval srchIndexesDefault=replace(<<FIELD>>,"\*\s_\*","[all internal and non-internal indexes];") | eval srchIndexesDefault=replace(<<FIELD>>,"\*\s","[all non-internal indexes];") | eval srchIndexesDefault=replace(<<FIELD>>,"\*$","[all non-internal indexes];") ] | join type=outer ir [ | rest splunk_server=local /services/authorization/roles | fields - imported_roles | rename title as ir | mvexpand srchIndexesAllowed | eval inheritedAllowed=if(idxtype=="Invalid","",srchIndexesAllowed." (by ".ir.");") | stats values(inheritedAllowed) as inheritedAllowed by ir ] | fields - ir, splunk_server | makemv allowempty=t inheritedAllowed delim=";" | makemv allowempty=t srchIndexesAllowed delim=";" | makemv allowempty=t srchIndexesDefault delim=";" | rename srchIndexesDefault TO "Searched by default", srchIndexesAllowed TO "AllowedIndexes by Role", inheritedAllowed TO "AllowedIndexes by Inheritance", imported_roles TO "Inherited Roles"
You can modify the above (e.g. to add it to a dashboard with some inputs…):
- username=”username of interest”
- roles=”roles of interest”
- splunk_server=local is used twice (first 2 lines) and can be changed to any peer the SH has access to (usually local is fine though)
Additionally a slightly modification of the above to identify bad practice user accounts which are allowed to search all non-internal indexes AND searching by default on those (so when no index= given):
| rest splunk_server=local /services/authentication/users | rename title as username | mvexpand roles | table realname, username, roles, email | join type=outer roles [ rest splunk_server=local /services/authorization/roles | rename title as roles | eval ir=imported_roles | search srchIndexesAllowed=* | fields roles imported_roles ir srchIndexesAllowed srchIndexesDefault | mvexpand ir] | foreach srchIndexesAllowed [ eval srchIndexesAllowed=replace(<<FIELD>>,"^_\*$","[all internal indexes];") | eval srchIndexesAllowed=replace(<<FIELD>>,"\*\s_\*","[all internal and non-internal indexes];") | eval srchIndexesAllowed=replace(<<FIELD>>,"\*\s","[all non-internal indexes];") | eval srchIndexesAllowed=replace(<<FIELD>>,"\*$","[all non-internal indexes];") ] | foreach srchIndexesDefault [ eval srchIndexesDefault=replace(<<FIELD>>,"_\*","[all internal indexes];") | eval srchIndexesDefault=replace(<<FIELD>>,"\*\s_\*","[all internal and non-internal indexes];") | eval srchIndexesDefault=replace(<<FIELD>>,"\*\s","[all non-internal indexes];") | eval srchIndexesDefault=replace(<<FIELD>>,"\*$","[all non-internal indexes];") ] | join type=outer ir [ | rest splunk_server=local /services/authorization/roles | fields - imported_roles | rename title as ir | mvexpand srchIndexesAllowed | eval inheritedAllowed=if(idxtype=="Invalid","",srchIndexesAllowed." (by ".ir.");") | stats values(inheritedAllowed) as inheritedAllowed by ir ] | fields - ir, splunk_server | makemv allowempty=t inheritedAllowed delim=";" | makemv allowempty=t srchIndexesAllowed delim=";" | makemv allowempty=t srchIndexesDefault delim=";" | search (srchIndexesDefault="[all internal and non-internal indexes]*" OR srchIndexesDefault="[all non-internal indexes]*") AND (srchIndexesAllowed="[all internal and non-internal indexes]*" OR srchIndexesAllowed="[all non-internal indexes]*") | rename srchIndexesDefault TO "Searched by default", srchIndexesAllowed TO "AllowedIndexes by Role", inheritedAllowed TO "AllowedIndexes by Inheritance", imported_roles TO "Inherited Roles"
This is awesome!
So I want to use this for other fields like capabilities & quotas and such. the if(idxtype=”invalid”…) isn’t working, how would I do this?