topic Re: Role based access control for developers to only view the dashboards in Dashboards & Visualizations

Role based access control for developers to only view the dashboards

shreerajShetty — Tue, 03 Dec 2024 07:42:40 GMT

Im trying to create a role for a developer in our organization where the developer is only allowed to view the dashboard which is created by the admin or the person who has edit_own_objects capablity attached to his role....

when I created a role for developer which has the below capablities attached to its role:

capabilities = [

"search",

"list_all_objects",

"rest_properties_get",

"embed_report"

]

Now when I login as a developer and when I try viewing the dashboards its visible and its in read mode only but the developer can create new dashboards also which shouldnt be allowed.

How can i restrict developer from creating a new dashboard?

And also automatically the below capablities gets added to the role along with the ones which ive specified above:

run_collect

run_mcollect

schedule_rtsearch

edit_own_objects

Ive also given read access in the specific dashboard permissions setting for the developers role only..

Re: Role based access control for developers to only view the dashboards

dural_yyz — Tue, 03 Dec 2024 15:19:10 GMT

Check what roles are inherited like "user" which would carry up the ability to create a dashboard. Please check which version you have, I believe in version 9.3.x you should look for this.

[capability::edit_view_html] * Lets a user create, edit, or otherwise modify HTML-based views.

https://docs.splunk.com/Documentation/Splunk/9.3.0/Admin/authorizeconf

Re: Role based access control for developers to only view the dashboards

shreerajShetty — Wed, 04 Dec 2024 09:01:54 GMT

Thanks @dural_yyz..
But my user has a role which doesnt have the edit_view_html capablity. But still he's able to create dashboard.

Re: Role based access control for developers to only view the dashboards

dural_yyz — Wed, 04 Dec 2024 12:43:24 GMT

| rest splunk_server=local /services/authorization/roles | rename title as role | table role capabilities imported_capabilities imported_roles

Sorry to belabor this point but I'm not certain you have answered my question. Does the role import another role which has the setting? The above REST call on the Search Head the user is assigned will tell you the exact information.

If you have already checked and no stray imports are occurring then my apologies for keeping after this point. I've reviewed the documentation on capabilities and just can't find anything that would explain the user behavior.