topic Re: Restrict access to read only also for admin in Splunk Cloud Platform

Restrict access to read only also for admin

wealot — Thu, 09 Jan 2025 09:47:11 GMT

Hi,

I have an app that is used for all the configurations that we have in Splunk Cloud. Quite a lot of users on our instance are admin (for good reasons that I don't want to get into 😄 ). Now because not all of those users are really "developer enthusiasts" they tend to sometimes make configuration changes through the GUI. For example disable a search in the GUI instead of nicely in the app (with pipeline etc) when they don't need it anymore. To try to make this impossible I changed the default.meta to:

[] access = read : [ * ], write : [] export = system

But this doesn't seem to work and people can still disable savedsearches (and many other things).

Is there any way to disable write entirely for any content in the app?

Re: Restrict access to read only also for admin

VatsalJagani — Thu, 23 Jan 2025 06:34:09 GMT

@wealot- There is no clear document that we can do write: [], so I would suggest to test following. Not sure if this is best solution, but maybe this will work.

Create a role called role_for_no_one and do not assign this role to anyone.
- Do not import this role from any other role.
Metadata
- access = read: [*], write: [role_for_no_one]

I hope this helps!!!

Re: Restrict access to read only also for admin

wealot — Thu, 23 Jan 2025 08:05:40 GMT

Yes seems that there is only a workaround available by using a non-used role. Although I do not know if this would in fact create issues up the road, we'll see!

Re: Restrict access to read only also for admin

wealot — Thu, 23 Jan 2025 08:40:28 GMT

Actually did some further testing, but users with admin privileges seem to be immune to permissions in terms of editing apps. So for now there is no way to disallow admins to write to apps.

Re: Restrict access to read only also for admin

VatsalJagani — Thu, 23 Jan 2025 16:15:33 GMT

if my answer, answered your question please "Accept it as Solution".

If it helped you anyway, kindly upvote!!!

Re: Restrict access to read only also for admin

isoutamo — Thu, 23 Jan 2025 20:20:59 GMT

Admin is same as root *nix world. You could try different tricks to restrict what it can do, but there is always a way to avoid those restrictions!

To be honest your company must implement policies which are mandatory and if someone doesn’t follow it then there is some consequences for those. Otherwise there will be always some surprises time by time. Of course there should be some other ways to motivate your colleagues first to understand why there is policies and why everyone must following those.