List permissions for Users, roles, allowed indexes and indexes searched by default

Ok that one is a big one so be prepared ;)

The following will (on a SH / SH Cluster):

  • list all users and their roles
  • list inherited roles
  • list all indexes allowed by the shown roles
  • list all indexes allowed for inherited roles (one level!)
  • inherited allowed indexes will show the originator (which inherited role allowed an index)
  • list the default searched indexes
  • rename * and _* to meaningful names

To clarify inherited results:

  • Inheritance for allowed Indexes are shown only up to ONE level
    (role -> inherited roles) but *not* more (so NOT: role -> inherited roles -> inherited roles)

ok now here it comes:

You can modify the above (e.g. to add it to a dashboard with some inputs…):

  • username=”username of interest”
  • roles=”roles of interest”
  • splunk_server=local is used twice (first 2 lines) and can be changed to any peer the SH has access to (usually local is fine though)


Additionally a slightly modification of the above to identify bad practice user accounts which are allowed to search all non-internal indexes AND searching by default on those (so when no index= given):



Share This:


Leave A Comment?