icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading User Role Checker
SHA256 checksum (user-role-checker_107.tgz) 7a5f631e9e103582e923d89892f5f1d964cd88e7fef5c5182f8dbe55cadfcd87 SHA256 checksum (user-role-checker_105.tgz) 01fda80e06a05e3d021aa1510483094f03d27b63206515ee70dfd511d4e64173
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

User Role Checker

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
User Role Checker App let you quickly find out, starting from a user or from a role, what are the attached or inherited allowed indexes, search restrictions, capabilities, or apps permissions.

User Role Checker

Due to role inheritance, it is not always easy to check on users' rights via Splunk settings page.

User Role Checker App lets you quickly find out, starting from a user or from a role, what are the attached or inherited allowed indexes, search restrictions, capabilities, or apps permissions.

Version 1.0.7

Release Notes

1.0.7: February 2019
- Fixed a typo in the 'Views' view (Search by role)

1.0.6: February 2019
- Adjusted the 'Views' view to display views by app

1.0.5: February 2019
- Added the "Views" view
- Fixed a type in the "Restrictions" view

1.0.3: September 2018
- Fixed a typo in the 'Apps/Server' view. The 'Server' multiselect should now display multiple results, depending on your environment, instead of displaying only the local instance
- Cleaned the App logo

1.0.2: September 2018
- Users can now be searched by username and real name from each view
- Added description for capabilities as a lookup used in "Capabilities / Search by Capability" view
- Changed the way roles are being searched in all views so that even roles without users are now being listed
- Removed the "Find role(s) from user" from the "Browse Role Configuration" view, as the equivalent is now available from the "Membership" view

1.0.1: August 2018
- Added the "Membership" view
- Fixed minor items

1.0.0: August 2018
- Initial release

Insight

Most of the queries behind the provided dashboards use sub-searches to retrieve every possible inherited role for a specific user or role.

It includes nested inherited roles up to a certain level.

These queries use the same structure, described below:

A - The main search provides results obtained from directly attached role(s), including the list of inherited role(s).

B - The first appended sub-search provides results from the list of inherited role(s) obtained from the previous step (A), including the list of inherited role(s).

C - The second appended sub-search provides results from the list of inherited role(s) obtained from the previous step (B), including the list of inherited role(s).

D - The third appended sub-search provides results from the list of inherited role(s) obtained from the previous step (C), including the list of inherited role(s).

It means that the way queries can retrieve inherited roles is not fully automated but rather limited to a certain level of recursion.

The reason for this limitation is that there is no while loop in Splunk Processing Language.

However, we have tested this App in several Splunk platforms and each time this level of recursion was sufficient.

Besides, this query structure could be easily adapted to provide an additional level of recursion if needed.

Prerequisites

If deployed on an earlier version of Splunk (pre 7.1) add 'color="#333333"' to the first line of the default navigation menu (Settings > User interface > Navigation menus > default).

App deployment

Deploy the App on your Search Head.

Use the App

User Role Checker App provides various dashboard all described below:

The 'Membership' dashboard provides either the list of members for a given role, or the list of associated or inherited role(s) for a given user.

The 'Indexes' dashboard provides allowed and default indexes attached to or inherited from a user's role. Results can be displayed split by role or merged. It is also possible to search by index to discover which roles are allowing access.

The 'Restrictions' dashboard provides search restrictions parameters attached to or inherited from a user's role. Results can be displayed split by role or merged. Results reflect the way various restrictions are combined between directly attached role(s) and the inherited one(s). For instance, as reflected in the panel, search filters (or restrict search terms) are all combined between applied roles.

The 'Capabilities' dashboard provides capabilities status attached to or inherited from a user's role. Results can be displayed split by role or merged. It is also possible to search by capabilities to discover which roles are enabling them.

The 'Apps' dashboard provides App permissions attached to or inherited from a user's role. Permissions information can also be obtained by App. It is also possible, via the 'Search by Server' option, to check on Apps and Add-ons deployment. It is useful when checking on what Splunk instance a particular App or Add-on is deployed.

The 'Browse Role Configuration' let you easily browse role configuration and compare selected parameters with selected roles. Custom selections of parameters - Indexes, Capabilities and Restrictions -, have been added to the 'Parameters' multiselect input.

The 'Access Role Settings' link leads you Splunk role configuration page.

Notes

As mentioned, the 'Server' part of the 'Apps' dashboard is useful when checking on what Splunk instance a particular App or Add-on is deployed. By default, it will at least provide results from your Search Head and Indexer(s). If you want to be able to retrieve results from other instances in your distributed Splunk architecture (e.g. Heavy Forwarder), you should either add this instance as search peer or use the App from an instance configured to reach all the other ones (e.g. the Monitoring Console).

Some html panels let you drilldown to the local index configuration via the link "/manager/UserRoleChecker/data/indexes". While working for a standalone Splunk instance, it will not work in a distributed environment and should be edited, if needed, to match your Indexer or Cluster Master.

For any help or suggestion on this App, contact d2si-spk [at] protonmail.com

Release Notes

Version 1.0.7
Feb. 7, 2019

- Fixed a typo in the 'Views' view (Search by role)

Version 1.0.5
Feb. 4, 2019

- Added the "Views" view
- Fixed a type in the "Restrictions" view

193
Installs
643
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.