SPL

List permissions for Users, roles, allowed indexes and indexes searched by default

Uncategorized

Description

Submitted by sedi

Ok that one is a big one so be prepared ;) The following will (on a SH / SH Cluster):

list all users and their roles
list inherited roles
list all indexes allowed by the shown roles
list all indexes allowed for inherited roles (one level!)
inherited allowed indexes will show the originator (which inherited role allowed an index)
list the default searched indexes
rename * and _* to meaningful names

To clarify inherited results:

Inheritance for allowed Indexes are shown only up to ONE level (role -> inherited roles) but *not* more (so NOT: role -> inherited roles -> inherited roles)

ok now here it comes:

10 0

| rest splunk_server=local /services/authentication/users | rename title as username | mvexpand roles | table realname, username, roles, email 
| join type=outer roles [ rest splunk_server=local /services/authorization/roles | rename title as roles | eval ir=imported_roles | search srchIndexesAllowed=* | fields roles imported_roles ir srchIndexesAllowed srchIndexesDefault | mvexpand ir]
| foreach srchIndexesAllowed
[ eval srchIndexesAllowed=replace(<<FIELD>>,"^_\*$","[all internal indexes];") 
| eval srchIndexesAllowed=replace(<<FIELD>>,"\*\s_\*","[all internal and non-internal indexes];")
| eval srchIndexesAllowed=replace(<<FIELD>>,"\*\s","[all non-internal indexes];")
| eval srchIndexesAllowed=replace(<<FIELD>>,"\*$","[all non-internal indexes];") 
]
| foreach srchIndexesDefault
[ eval srchIndexesDefault=replace(<<FIELD>>,"_\*","[all internal indexes];") 
| eval srchIndexesDefault=replace(<<FIELD>>,"\*\s_\*","[all internal and non-internal indexes];")
| eval srchIndexesDefault=replace(<<FIELD>>,"\*\s","[all non-internal indexes];") 
| eval srchIndexesDefault=replace(<<FIELD>>,"\*$","[all non-internal indexes];")
]
| join type=outer ir
[ | rest splunk_server=local /services/authorization/roles | fields - imported_roles
| rename title as ir
| mvexpand srchIndexesAllowed
| eval inheritedAllowed=if(idxtype=="Invalid","",srchIndexesAllowed." (by ".ir.");")
| stats values(inheritedAllowed) as inheritedAllowed by ir ]
| fields - ir, splunk_server
| makemv allowempty=t inheritedAllowed delim=";" 
| makemv allowempty=t srchIndexesAllowed delim=";"
| makemv allowempty=t srchIndexesDefault delim=";"
| rename srchIndexesDefault TO "Searched by default", srchIndexesAllowed TO "AllowedIndexes by Role", inheritedAllowed TO "AllowedIndexes by Inheritance", imported_roles TO "Inherited Roles"

You can modify the above (e.g. to add it to a dashboard with some inputs...):

username="username of interest"
roles="roles of interest"
splunk_server=local is used twice (first 2 lines) and can be changed to any peer the SH has access to (usually local is fine though)

Additionally a slightly modification of the above to identify bad practice user accounts which are allowed to search all non-internal indexes AND searching by default on those (so when no index= given):

| rest splunk_server=local /services/authentication/users | rename title as username | mvexpand roles | table realname, username, roles, email 
| join type=outer roles [ rest splunk_server=local /services/authorization/roles | rename title as roles | eval ir=imported_roles | search srchIndexesAllowed=* | fields roles imported_roles ir srchIndexesAllowed srchIndexesDefault | mvexpand ir]
| foreach srchIndexesAllowed
[ eval srchIndexesAllowed=replace(<<FIELD>>,"^_\*$","[all internal indexes];") 
| eval srchIndexesAllowed=replace(<<FIELD>>,"\*\s_\*","[all internal and non-internal indexes];")
| eval srchIndexesAllowed=replace(<<FIELD>>,"\*\s","[all non-internal indexes];")
| eval srchIndexesAllowed=replace(<<FIELD>>,"\*$","[all non-internal indexes];") 
]
| foreach srchIndexesDefault
[ eval srchIndexesDefault=replace(<<FIELD>>,"_\*","[all internal indexes];") 
| eval srchIndexesDefault=replace(<<FIELD>>,"\*\s_\*","[all internal and non-internal indexes];")
| eval srchIndexesDefault=replace(<<FIELD>>,"\*\s","[all non-internal indexes];") 
| eval srchIndexesDefault=replace(<<FIELD>>,"\*$","[all non-internal indexes];")
]
| join type=outer ir
[ | rest splunk_server=local /services/authorization/roles | fields - imported_roles
| rename title as ir
| mvexpand srchIndexesAllowed
| eval inheritedAllowed=if(idxtype=="Invalid","",srchIndexesAllowed." (by ".ir.");")
| stats values(inheritedAllowed) as inheritedAllowed by ir ]
| fields - ir, splunk_server
| makemv allowempty=t inheritedAllowed delim=";" 
| makemv allowempty=t srchIndexesAllowed delim=";"
| makemv allowempty=t srchIndexesDefault delim=";"
| search (srchIndexesDefault="[all internal and non-internal indexes]*" OR srchIndexesDefault="[all non-internal indexes]*") AND (srchIndexesAllowed="[all internal and non-internal indexes]*" OR srchIndexesAllowed="[all non-internal indexes]*")
| rename srchIndexesDefault TO "Searched by default", srchIndexesAllowed TO "AllowedIndexes by Role", inheritedAllowed TO "AllowedIndexes by Inheritance", imported_roles TO "Inherited Roles"

Comments

2 total

SplunkNinja

8/30/2018

This is awesome!

Mike Anderson

5/26/2023

So I want to use this for other fields like capabilities & quotas and such. the if(idxtype=\"invalid\"...) isn't working, how would I do this?

You must log in to post a comment.

List permissions for Users, roles, allowed indexes and indexes searched by default

Description

Comments

Leave a comment