I am using the latest Splunk ODBC driver (downloaded from https://apps.splunk.com/app/1606/) and the Tableau Desktop versions are 8.2.2 & 8.3. if I logged in as an admin user account (who has "user" & "power" roles), I could successfully connect to the Splunk instance and listed all the "Saved Searches" available. If I logged in as a normal user account (who has only "user" role), an error with "Invalid Username or Password" was produced. This normal user account has access to all non-internal Splunk indexes.
Below are the capabilities between these 2 accounts:
Admin account capabilities:
Normal user account capabilities:
The ONLY difference related to REST API from above 2 lists is "restappsmanagement", but I don't see why missing this capability will prevent the normal user account from successfully connecting to REST API interface and list all Saved Searches via Splunk Connector.
Does anyone have any insights about this? Thanks a lot!
I have found the following articles related to my question, but still doesn't resolve the issues I had:
The normal user account tried to log in via browser on the following saved search endpoint and could successfully list all saved searches available on the search head:
Same issue here. It all works if I am signed in as Splunk Admin, but I don't want to give Tableau the keys to the kingdom and all the capabilities associated with connecting to Splunk as "Admin" What are the least capabilities I need associate with a role to make this work?
I ran into this same problem with one of my infosec users wanting access to the RestAPI. I created a new role "restapi" and added his account. The only capability I added to the new role was restappsmanagement and this allowed him to log in to the API successfully.