icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Index Access Mapping
SHA256 checksum (index-access-mapping_111.tgz) d0e9aefffd364914eb40ad49b579b7bcb3179906812d14228d58f530ed08b93b
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Index Access Mapping

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
This Index Access Mapping app displays LDAP controlled access mappings from Index to Role to LDAP Group to User, displaying the mapping as both a table and a Sankey diagram, facilitating the investigation of who has access to a particular index, and to discover by which LDAP group a particular user gains access to a particular index.


This Index Access Mapping app displays LDAP controlled access mappings from Index to Role to LDAP Group to User, displaying the mapping as both a table and a Sankey diagram.

Access control of indexed data in Splunk is realized by mapping roles to users where each role contains a list of indexes in the srchIndexesAllowed and srchIndexesDefault fields. Creating a separate data access role for each index listing a single index name in the srchIndexesAllowed and srchIndexesDefault fields allows for fine-grained access control to the indexes. Mapping a data access role to LDAP groups allows tailoring of index access on an individual by individual or group by group basis. The required roll mappings in authorize.conf are best deployed as a distributed app for access consistency across all of your search heads.

Unfortunately, the base Splunk code does not provide a view of this mapping from end to end, and the authorize.conf configuration file quickly becomes undecipherable to visual inspection in larger environments.

Splunk does provide REST API calls to return data about Indexes, Roles, Users, and LDAP Groups. The index access mappings can be obtained through a series of table joins.

(roles left join indexes) left join [ (LDAP-groups left join users) append users(type=Splunk) ]

The search effectively gets the user list from two sources, joined on roles:

  • The list of LDAP-groups, which implies the list of users of type=LDAP
  • The list of local users, of type=Splunk

For the locally defined users, we force the groups field to be of the form Splunk(username) to indicate that there is no LDAP group granting the access, but rather that the access role was granted directly in the local Splunk user definitions.

Rest calls used:

   /services/authorization/roles   role, mv(srchIndexesAllowed)+mv(srchIndexesDefault)
   /services/data/indexes           \        \index
   /services/admin/LDAP-groups     mv(roles), groups, mv(users "CN=*,")   #! LDAP users
   /services/authentication/users     |                 \users realname
   /services/authentication/users  mv(roles), groups, users, realname     #! Local Splunk users

Note: splunk+server=local changes to a pulldown list of Search Heads if this app is installed on a monitoring console.
Filtering Fields:

The two major use cases for this app are to investigate who has access to a particular index, and to discover by which LDAP group a particular user gains access to a particular index. To this end, several different input fields have been provided for limiting the results based on a combination of indexes, roles, groups, and users.

Pulldown selection - Splunk Search Head (local, or a list if installed on a Monitoring Console)
Multiselect fields - indexes, roles, groups, users
Text search input - for adventurous custom searching, such as indexes=net, or realname=smith*.
Two checkboxes - to hide the admin role and any null values, as they tend to unnecessarily clutter up the results.
Sankey checkbox - turns off the Sankey panels, should the visualization not be available or desired.
Sankey height pulldown - sets the height of the Sankey diagram in pixels.

Quirks and Oddities:

The Sankey diagram demands that all nodes to be charted be unique. Unfortunately, there is no such uniqueness requirement in Splunk between indexes, roles, LDAP groups, and users. Vanilla Splunk comes with both an admin user, and an admin role, which tends to turn portions of the multilevel Sankey diagram into looping spaghetti as the Sankey code cannot distinguish between admin as a role, and admin as a user. To prevent this spaghettification, we have prefixed the indexes, roles, groups, users, and realnames in the Sankey diagram with i. r. g. u. and rn., respectively, which forces them to be unique.


The Sankey visualization should be installed on the same Search Head(s) as this app.


This app should be installed on single-instance deployments, or on the Search Heads and Monitoring Console of a distributed deployment, either directly or by deployment server. The app itself contains only dashboards.

Release Notes

Version 1.1.1
Oct. 16, 2019


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.