Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Access error [HTTP 403] Client is not authorized to perform requested action

a1bg503461
Explorer
‎05-20-2025 12:45 AM

Hello,

 

We use Splunk Enterprise  9.3.2 and LDAP Integration

We Granted and AD Group 90 capabilies in ITSI to cover above analyst role so they can create correaltion searches ,episodes and policies but not delete them.

These particular users are having error :

a1bg503461_0-1747727083925.png

 

Does anyone know why access gets blocked

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-20-2025 02:38 AM

OK. A stupid question since I don't know ITSI. But ES has this nasty role configurator in WebUI and you cannot just add capabilities to a role using standard Splunk role settings screen, you have to do it in ES and let the ES "modular input" managing capbilities do its magic. Doesn't ITSI have its equivalent of that? We had similar errors when trying to manage ES capabilities directly, instead of via ES internal mechanisms.

0 Karma
Reply

a1bg503461
Explorer
‎05-20-2025 01:34 AM

He has them  but still there is error, is there anything on the conf files:


accelerate_search

bulk_import_service_or_entity

change_own_password

configure_mltk_container

configure_perms

control_mltk_container

delete_drift_detection_results

delete_itsi_correlation_search

delete_itsi_custom_threshold_windows

delete_itsi_data_integration

delete_itsi_deep_dive

delete_itsi_deep_dive_context

delete_itsi_drift_detection_template

delete_itsi_event_management_export

delete_itsi_event_management_state

delete_itsi_glass_table

delete_itsi_homeview

delete_itsi_kpi_at_info

delete_itsi_kpi_base_search

delete_itsi_kpi_entity_threshold

delete_itsi_kpi_state_cache

delete_itsi_kpi_threshold_template

delete_itsi_notable_aggregation_policy

delete_itsi_notable_event_email_template

delete_itsi_refresh_queue_job

delete_itsi_sandbox_service

delete_itsi_service

delete_itsi_temporary_kpi

delete_maintenance_calendar

delete_module_interface

delete_notable_event

edit_log_alert_event

edit_own_objects

edit_search_schedule_window

edit_sourcetypes

edit_statsd_transforms

edit_token_http

embed_report

entities_at_configurations_get

execute-notable_event_action

execute_notable_event_action

export_results_is_visible

get_drift_detection_kpis

get_drift_detection_results

get_metadata

get_typeahead

input_file

interact_with_itsi_correlation_search

interact_with_itsi_deep_dive

interact_with_itsi_deep_dive_context

interact_with_itsi_event_management_state

interact_with_itsi_glass_table

interact_with_itsi_homeview

interact_with_itsi_notable_aggregation_policy

kpis_at_configurations_get

list_accelerate_search

list_all_objects

list_health

list_inputs

list_metrics_catalog

list_mltk_container

list_search_head_clustering

list_settings

list_storage_passwords

list_tokens_own

metric_alerts

output_file

pattern_detect

read-notable_event

read-notable_event_action

read_itsi_backup_restore

read_itsi_base_service_template

read_itsi_correlation_search

read_itsi_custom_threshold_windows

read_itsi_data_integration

read_itsi_deep_dive

read_itsi_deep_dive_context

read_itsi_drift_detection_template

read_itsi_entity_discovery_searches

read_itsi_entity_management_policies

read_itsi_event_management_export

read_itsi_event_management_state

read_itsi_glass_table

read_itsi_homeview

read_itsi_kpi_at_info

read_itsi_kpi_base_search

read_itsi_kpi_entity_threshold

read_itsi_kpi_state_cache

read_itsi_kpi_threshold_template

read_itsi_notable_aggregation_policy

read_itsi_notable_event_email_template

read_itsi_refresh_queue_job

read_itsi_sandbox

read_itsi_sandbox_service

read_itsi_sandbox_sync_log

read_itsi_service

read_itsi_team

read_itsi_temporary_kpi

read_maintenance_calendar

read_metric_ad

read_module_interface

read_notable_event

read_notable_event_action

request_remote_tok

rest_access_server_endpoints

rest_apps_view

rest_properties_get

rest_properties_set

rtsearch

run_collect

run_custom_command

run_dump

run_mcollect

run_msearch

run_sendalert

schedule_rtsearch

schedule_search

search

search_process_config_refresh

upload_lookup_files

upload_onnx_model_file

write-notable_event

write_itsi_correlation_search

write_itsi_custom_threshold_windows

write_itsi_data_integration

write_itsi_deep_dive

write_itsi_deep_dive_context

write_itsi_drift_detection_template

write_itsi_event_management_export

write_itsi_event_management_state

write_itsi_glass_table

write_itsi_homeview

write_itsi_kpi_at_info

write_itsi_kpi_base_search

write_itsi_kpi_entity_threshold

write_itsi_kpi_state_cache

write_itsi_kpi_threshold_template

write_itsi_notable_aggregation_policy

write_itsi_notable_event_email_template

write_itsi_refresh_queue_job

write_itsi_sandbox

write_itsi_sandbox_service

write_itsi_sandbox_sync_log

write_itsi_service

write_itsi_temporary_kpi

write_maintenance_calendar

write_metric_ad

write_module_interface

write_notable_event

 

 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-20-2025 12:59 AM

HI @a1bg503461 

Please can you share the capabilities listed when the user runs: 

|rest /services/authentication/current-context

If they are unable to run this then they are missing the rest_properties_get capability.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...