topic Re: How can I give a role read-only access to users? in Splunk Enterprise

How can I give a role read-only access to users?

dudhatjanhavi — Tue, 02 May 2023 18:08:25 GMT

I created a new role in Splunk, let's say "RoleA". I want RoleA to be able to see a list of all users and see all related information (like name, email, roles assigned etc.). However I don't want to allow RoleA to edit those users, or create or delete them.

When I remove 'edit_user' capability from RoleA, I can achieve the latter - it cannot create/edit/delete the users. However with that capability not assigned to RoleA, it can't see a list of all users.

Is there a way I can achieve both?

Re: How can I give a role read-only access to users?

richgalloway — Tue, 02 May 2023 19:07:03 GMT

Create a report that uses REST to collect and present the desired information. Set the report to Run As Owner then allow RoleA to read it.

Re: How can I give a role read-only access to users?

jeffland — Tue, 02 May 2023 19:17:09 GMT

I don't think you can do this with permissions alone, as e.g. a call to services/authentication/users with | rest is also limited to your permissions and a "readonly" capability for users exists to my knowledge.

Depending on your use case, you could collect the users in a summary index or a lookup and have your role search that instead (or better yet, as rich mentioned while I was typing, use a report running as owner!)

Re: How can I give a role read-only access to users?

dudhatjanhavi — Tue, 02 May 2023 20:57:50 GMT

unfortunately using reports is not an option. I've been trying to use restmap.conf to change the capability required for a GET method accessing authentication/users.. Although no luck. For reference here's what it looks like:

[authentication-users:authentication-users] match=/authentication/users capability.get=admin_all_objects

not sure what I might be doing wrong? This might be a better solution for my use case, if it works that is

Re: How can I give a role read-only access to users?

jeffland — Wed, 03 May 2023 05:49:16 GMT

It should not be a permission issue against the endpoint. You'll be able to run this search as any user:

| rest splunk_server=local services/authentication/users

But it'll only return what your roles permit you to see, i.e. only your own user or all users.

Re: How can I give a role read-only access to users?

dudhatjanhavi — Thu, 04 May 2023 20:57:49 GMT

Yeah, however i want this role to be able to get a list of all users when it hits that endpoint. I want it to be so that any role with the admin_all_objects capability can get a list of all users. They can't edit users,create new users, etc though

Re: How can I give a role read-only access to users?

jeffland — Tue, 30 May 2023 09:40:31 GMT

As I said earlier, I don't think this is possible. You could create an idea on ideas.splunk.com to have a "readonly-admin" role, but I am not sure if this is a very common request that will get many votes/attention.