topic Re: controlling access to dashboard and search capability in Splunk Search

controlling access to dashboard and search capability

splunkears — Wed, 18 Sep 2013 15:59:24 GMT

I think this is a typical Splunk use case wherein, we want to give access to users who can only VIEW dashboards but should not query or issue search commands.

I see some documentation on this:
http://docs.splunk.com/Documentation/Splunk/5.0.4/Security/Addmanagementaccesstocustomroles
but, following this, it is still users to fire search queries.

For example, when a user has a access to a dashboard, and then, access the dashboard page, there is a small link called "view results". Upon clicking on view results, it is bring search box screen. How do we just give access to dashboard URLs alone and, no access search UI.

I tried the other approach of creating a new role with no search capability but, it is not allowing the user to view dashboards.

thanks..

Re: controlling access to dashboard and search capability

sowings — Wed, 18 Sep 2013 17:33:51 GMT

I've done this by hiding (using CSS) the "View results" link. Admittedly, it's a bit of a kludge, but at least stops the specific pain point.

You might also consider disallowing general users to the main "searchbar views". These are typically dashboard_live and flashtimeline; they live in the "search" app.

The CSS I used to hide those results is below. It would go into a file called 'application.css' in the appserver/static subdir of whatever app contains your dashboards.

/* Don't show the "View results" footer */ .ViewRedirectorLink { display: none !important; }

Re: controlling access to dashboard and search capability

somesoni2 — Wed, 18 Sep 2013 18:39:09 GMT

I have tried following and its working fine for me.

Create a Role, say dashboardUser. Set the default app and capabilities similar to "user" role. Assign this role to all the users which should just access dashboards and should not perform explicit search/query
go to "User Interface>>Views"
Uncheck "Show only objects created in this app context". this should show you all the views with Global permission. Specifically flashtimeline and dashboard_live view.
change the permission for Read from "Everyone" to all the necessary roles excluding dashboard user.

THis should restrict the access to flashtimeline (screen to which generally people search). Repeat the same for all the views which provide direct search.

Re: controlling access to dashboard and search capability

splunkears — Mon, 28 Sep 2020 14:48:19 GMT

Hi,
Thank you so much. Could you please clarify on - "..capabilities similar to "user" role.."

Does this mean, create a new role and use Inheritance (from Manager/ACL/Roles) from role "User" (under selected column, in the UI).
Or should I create a new role with all the all the capabilities similar to user - meaning the following cap.s

change_own_password
get_metadata
get_typeahead
input_file
list_inputs
output_file
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
schedule_rtsearch
search

Note that there is a capability - search include this..in the new role.?

Re: controlling access to dashboard and search capability

somesoni2 — Wed, 18 Sep 2013 19:07:36 GMT

YOu should create a new role with all capabilities similar to user.
The capability search is required otherwise the dashboards searches also will not work.

Re: controlling access to dashboard and search capability

splunkears — Mon, 28 Sep 2020 14:48:28 GMT

I tried exactly the same steps as you mentioned. My test userID gets 404 - with a message - " Splunk Cannot find the ...name_of_my_dash.. view - message - while accessing dashboard URL.

It seems like Search and Dashboard capabilities are tightly coupled. Either both are on or both are off 😞

Re: controlling access to dashboard and search capability

somesoni2 — Mon, 28 Sep 2020 14:48:54 GMT

As part of step , did you change the permission for "name_of_my_dashboard" as well to exclude dashboarduser?? we should exclude only for flashtimeline and dashboard_live. ALso for any view that you have created which provides search bar. Your normal dashboards (which contains links 'View Result') should be made accessible.

Re: controlling access to dashboard and search capability

splunkears — Thu, 19 Sep 2013 19:32:09 GMT

Thanks for the hint. My dashboard was with default permission for role user. I've added the new role too, in the permission list, for this dash. And hence, it works now 🙂
The test user is able to access dashboard. And he is not able to access search / flashtimeline as expected.

Re: controlling access to dashboard and search capability

rogerhu — Tue, 24 Dec 2013 16:37:11 GMT

The problem is that Splunk creates a default navigation menu for your new app. This default navigation menu is stored as the dashboards view inside the search app. The problem is that if you deny access to this app, then trying to view this dashboard will 404.

<nav search_view="search" color="#65A637"> <view name="dashboards" /> </nav> You need to do two things:

Delete the search_view= parameter.
Create the views that reference dashboards inside your dashboard_role only. Since you are restricting access to this view, you can no longer render what views are available dynamically.

For more info about customizing the navigation menu, see http://docs.splunk.com/Documentation/Splunk/6.0/AdvancedDev/BuildNavigation

Re: controlling access to dashboard and search capability

rogerhu — Tue, 24 Dec 2013 16:56:05 GMT

One other thing I noticed is that Splunk v6.0 does not appear to honor global permissions for your custom commands and macros if you restricting access to the search app. For instance, the gauge command is considered an advanced command and restricting access to the search app prevents the gauge command from being used.

The same problem happen for macros created in the search app. Without access to the search app, the global permissions seem to get ignored.

Re: controlling access to dashboard and search capability

splunk47 — Mon, 28 Sep 2020 18:46:07 GMT

You need to do two things:

1.Delete the search_view= parameter.
2.Create the views that reference dashboards inside your dashboard_role only. Since you are restricting access to this view, you can no longer render what views are available dynamically ??? kindly explain this two stpes