<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Role capabilities to change Event Type permissions through REST api in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Role-capabilities-to-change-Event-Type-permissions-through-REST/m-p/158801#M32210</link>
    <description>&lt;P&gt;Hello.&lt;/P&gt;

&lt;P&gt;I'm creating an Event Type like this;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;curl -k -u RESTUser:RESTPass https://localhost:8089/servicesNS/RESTUser/search/saved/eventtypes \
    -d name="incident_1" \
    --data-urlencode search=search="src_ip=10.0.0.1 sig_id=10001"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;My RESTUser is a member of one role, the 'REST_API_User' which has the following capabilities;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;rest_apps_management
rest_apps_view
rest_properties_get
rest_properties_set
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Then I want to change this Event Type from a private Event Type to an App-wide Event Type. I do this also through the REST API;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;curl -k -u RESTUser:RESTPass https://localhost:8089/servicesNS/RESTUser/search/saved/eventtypes/incident_1/acl \
    -d perms.read=* \
    -d perms.write=* \
    -d sharing=app \
    -d owner=RESTUser
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;However, now I am denied this action with the following error message;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;&amp;lt;?xml version="1.0" encoding="UTF-8"?&amp;gt;
&amp;lt;response&amp;gt;
  &amp;lt;messages&amp;gt;
    &amp;lt;msg type="ERROR"&amp;gt;User 'RESTUser' with roles { restuser, rest_api_user } cannot write: /nobody/search/eventtypes/incident_1 { read : [ * ], write : [ admin, power ] }, export: global, removable: no&amp;lt;/msg&amp;gt;
  &amp;lt;/messages&amp;gt;
&amp;lt;/response&amp;gt;
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;OL&gt;
&lt;LI&gt;Why does it want to write to /nobody/search/...? I spesificially told it to update &lt;EM&gt;RESTUser/search/saved/eventtypes/incident_1&lt;/EM&gt; - No mention of /nobody/ ..&lt;/LI&gt;
&lt;LI&gt;Why does it say &lt;EM&gt;write : [ admin, power ]&lt;/EM&gt; - is this the default permission when creating an Event Type?&lt;/LI&gt;
&lt;LI&gt;I even tried to add inheritance to the role REST_API_User, to inherit the role "user", but still no luck. If I login to the GUI with the role User added to me I do not see the "Permissions" link behind the "Sharing Private" for the line of this Event Type. &lt;/LI&gt;
&lt;LI&gt;If I add the RESTUser with admin role - everything works nicely.&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;I am confused as what to do, as I don't want to give a system admin access to my Splunk just to add and update EventType ACL's. Isn't there a way to create an Event Type and simultaneously set the permissions? It seems to default be set to &lt;EM&gt;[ admin, power ]&lt;/EM&gt;.&lt;/P&gt;

&lt;P&gt;Any advice out there?&lt;/P&gt;</description>
    <pubDate>Mon, 28 Sep 2020 15:22:48 GMT</pubDate>
    <dc:creator>dolxor</dc:creator>
    <dc:date>2020-09-28T15:22:48Z</dc:date>
    <item>
      <title>Role capabilities to change Event Type permissions through REST api</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Role-capabilities-to-change-Event-Type-permissions-through-REST/m-p/158801#M32210</link>
      <description>&lt;P&gt;Hello.&lt;/P&gt;

&lt;P&gt;I'm creating an Event Type like this;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;curl -k -u RESTUser:RESTPass https://localhost:8089/servicesNS/RESTUser/search/saved/eventtypes \
    -d name="incident_1" \
    --data-urlencode search=search="src_ip=10.0.0.1 sig_id=10001"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;My RESTUser is a member of one role, the 'REST_API_User' which has the following capabilities;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;rest_apps_management
rest_apps_view
rest_properties_get
rest_properties_set
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Then I want to change this Event Type from a private Event Type to an App-wide Event Type. I do this also through the REST API;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;curl -k -u RESTUser:RESTPass https://localhost:8089/servicesNS/RESTUser/search/saved/eventtypes/incident_1/acl \
    -d perms.read=* \
    -d perms.write=* \
    -d sharing=app \
    -d owner=RESTUser
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;However, now I am denied this action with the following error message;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;&amp;lt;?xml version="1.0" encoding="UTF-8"?&amp;gt;
&amp;lt;response&amp;gt;
  &amp;lt;messages&amp;gt;
    &amp;lt;msg type="ERROR"&amp;gt;User 'RESTUser' with roles { restuser, rest_api_user } cannot write: /nobody/search/eventtypes/incident_1 { read : [ * ], write : [ admin, power ] }, export: global, removable: no&amp;lt;/msg&amp;gt;
  &amp;lt;/messages&amp;gt;
&amp;lt;/response&amp;gt;
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;OL&gt;
&lt;LI&gt;Why does it want to write to /nobody/search/...? I spesificially told it to update &lt;EM&gt;RESTUser/search/saved/eventtypes/incident_1&lt;/EM&gt; - No mention of /nobody/ ..&lt;/LI&gt;
&lt;LI&gt;Why does it say &lt;EM&gt;write : [ admin, power ]&lt;/EM&gt; - is this the default permission when creating an Event Type?&lt;/LI&gt;
&lt;LI&gt;I even tried to add inheritance to the role REST_API_User, to inherit the role "user", but still no luck. If I login to the GUI with the role User added to me I do not see the "Permissions" link behind the "Sharing Private" for the line of this Event Type. &lt;/LI&gt;
&lt;LI&gt;If I add the RESTUser with admin role - everything works nicely.&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;I am confused as what to do, as I don't want to give a system admin access to my Splunk just to add and update EventType ACL's. Isn't there a way to create an Event Type and simultaneously set the permissions? It seems to default be set to &lt;EM&gt;[ admin, power ]&lt;/EM&gt;.&lt;/P&gt;

&lt;P&gt;Any advice out there?&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 15:22:48 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Role-capabilities-to-change-Event-Type-permissions-through-REST/m-p/158801#M32210</guid>
      <dc:creator>dolxor</dc:creator>
      <dc:date>2020-09-28T15:22:48Z</dc:date>
    </item>
    <item>
      <title>Re: Role capabilities to change Event Type permissions through REST api</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Role-capabilities-to-change-Event-Type-permissions-through-REST/m-p/158802#M32211</link>
      <description>&lt;P&gt;In addition to all the roles and the event type, you must have write permission to the parent app.&lt;/P&gt;</description>
      <pubDate>Tue, 17 Dec 2013 21:14:08 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Role-capabilities-to-change-Event-Type-permissions-through-REST/m-p/158802#M32211</guid>
      <dc:creator>gkanapathy</dc:creator>
      <dc:date>2013-12-17T21:14:08Z</dc:date>
    </item>
    <item>
      <title>Re: Role capabilities to change Event Type permissions through REST api</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Role-capabilities-to-change-Event-Type-permissions-through-REST/m-p/158803#M32212</link>
      <description>&lt;P&gt;Hello. I will try to give RESTUser write to the app.&lt;/P&gt;</description>
      <pubDate>Fri, 24 Jan 2014 11:43:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Role-capabilities-to-change-Event-Type-permissions-through-REST/m-p/158803#M32212</guid>
      <dc:creator>dolxor</dc:creator>
      <dc:date>2014-01-24T11:43:52Z</dc:date>
    </item>
  </channel>
</rss>

