Solved: How can I remove all Power role 'write' privileges...

paimonsoror · ‎07-12-2017

Not sure if this is normal, but I noticed that all Power role users have write access to all lookup files. Is there a capability that i have included that is doing that?

Power Group:
Imports user
capabilities: edit_sourcetypes, embed_report, schedule_search, search_process_config_refresh.

I am looking to make the lookup editor available to users so that they can modify their own lookup tables, but i noticed that power users can edit all lookups including the bundled splunk ones 😮

sbbadri · ‎07-12-2017

Try this,

$SPLUNK_HOME/etc/apps/your_app/metadata/default.meta add below lines

LOOKUPS

[lookups]
export = system
access = read : [ * ], write : [ admin, required_role ]

View solution in original post

sbbadri · ‎07-12-2017

Try this,

$SPLUNK_HOME/etc/apps/your_app/metadata/default.meta add below lines

LOOKUPS

[lookups]
export = system
access = read : [ * ], write : [ admin, required_role ]

paimonsoror · ‎07-12-2017

Ah ok, makes sense, thought maybe I accidentally included a capability. Thanks!

How can I remove all Power role 'write' privileges from all lookup files

LOOKUPS

LOOKUPS

BSides Splunk 2022 - The Call for Papers is now Open!

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

What's New in Splunk Cloud Platform 9.0.2208?!