Hello there,
I am having issues with an deployment in which when using a non-admin role for a user, when I search using, let's say the Search app, I have the following output:
• The limit has been reached for log messages in info.csv. 69 messages have not been written to info.csv. Please refer to search.log for these messages or limits.conf to configure this limit.
• [idx-i-1] The lookup table 'app_lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'app_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'classification_lookup' does not exist. It is referenced by configuration 'pan:hipmatch'.
• [idx-i-1] The lookup table 'classification_lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'classification_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'classification_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'endpoint_actions_lookup' does not exist. It is referenced by configuration 'pan:endpoint'.
• [idx-i-1] The lookup table 'endpoint_severity_lookup' does not exist. It is referenced by configuration 'pan:endpoint'.
• [idx-i-1] The lookup table 'pan_vendor_action_lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'pan_vendor_action_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:aperture'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:config'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:hipmatch'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:system'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'sanctioned_saas_lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'sanctioned_saas_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
Does anyone know what this is related to?
Assuming you're using the same search head for both the admin and non-admin searches. I would recommend checking the permissions on the lookup tables referenced in the above errors. My guess is that the read permissions on those lookup tables are restricted to admin only, which makes the non-admin user run into errors. It's also worth checking the permissions on the underlying lookup files those tables are using as well, but I believe that those errors are related to the tables themselves.
Assuming you're using the same search head for both the admin and non-admin searches. I would recommend checking the permissions on the lookup tables referenced in the above errors. My guess is that the read permissions on those lookup tables are restricted to admin only, which makes the non-admin user run into errors. It's also worth checking the permissions on the underlying lookup files those tables are using as well, but I believe that those errors are related to the tables themselves.
Hey qi3ber,
I just checked adjusted the "Lookup table files" and "Lookup definitions" and they had permissions assigned to only the app, not everyone as required.
That did the job although it seems that the permissions were not cascade down to the objects when assigned the read permission to the app itself (this is the Splunk_TA_paloalto throught "Manage Apps"). Is this the normal behaviour?
Thanks!
M.
Palo Alto App version: 6.0.1 / Splunk_TA_paloalto: 6.0.2