I have users with user and alert_manager role.
They have capabilities:
accelerate_search
change_own_password
edit_tcp
embed_report
get_metadata
get_typeahead
input_file
list_inputs
output_file
pattern_detect
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
schedule_rtsearch
schedule_search
search
but if they make alerts with actions: Send email, Add to Triggered Alerts and Alert Manager, only Send email and Add to Triggered Alerts works. Alert Manager dont display Alert. But if I add capability: admin_all_objects Alert displays in Incident Posture.
I dont't want to grant that capability, is there some other way?
Hi Panssa
Unfortunately by today, it only works granting admin_all_objects to a user to make the Alert Manager work. We are working on a solution in order to solve this issue.
Update:
As a workaround, create a user just for scheduling the alerts and assign the saved searches (alerts) to this user having admin_all_objects. Viewers only of the alert manager don't need to have "admin_all_objects".
Sorry for not having better news,
Simon
Hi Panssa
I've got an update for you. I've figured out to schedule an alert as non-admin and having incidents created.
The minimum of required capabilities (besides everything from the 'user' role) are:
edit_tcp
list_settings
schedule_search
Within the next release (no ETA yet) of the Alert Manager, the 'alert_manager' role will contain those capabilities.
Also it requires a slight modification to a python library in the Alert Manager (NotificationHandler.py), see latest commit at github:
https://github.com/simcen/alert_manager/commit/e975ee4fdf38eea4584a7110c9735af297c0c253
You can download the latest version of the file (https://raw.githubusercontent.com/simcen/alert_manager/e975ee4fdf38eea4584a7110c9735af297c0c253/bin/...) and replace it in $SPLUNK_HOME/etc/apps/alert_manager/bin/lib/NotificationHandler.py
Let me know if you have any questions.
Thanks,
Simon
Hi Panssa
Unfortunately by today, it only works granting admin_all_objects to a user to make the Alert Manager work. We are working on a solution in order to solve this issue.
Update:
As a workaround, create a user just for scheduling the alerts and assign the saved searches (alerts) to this user having admin_all_objects. Viewers only of the alert manager don't need to have "admin_all_objects".
Sorry for not having better news,
Simon