Archive

Review roles for unnecessary read or write access?

mtupper
New Member

I am receiving a Health Check warning regarding the roles and responsibilities for our "investigative_canvas" in Enterprise Security. I have referred to the URL below initially. I do not see any problems with the below stanza. Am I missing something?

[collections/investigative_canvas]
access = read : [ ess_analyst ], write : [ admin ]
export = system
owner = nobody
version = 6.6.2
modtime = 1508440201.516152100

https://docs.splunk.com/Documentation/ES/5.2.2/Admin/Troubleshoothealthcheck

Tags (1)
0 Karma

integratorz
Path Finder

@mtupper after looking at the link you are talking about, I realized the problem lies in the fact that the ess_analyst has access to this collection. It is recommended that only admins have access to these collections.

0 Karma

integratorz
Path Finder

whats the actual error your seeing?

0 Karma

mtupper
New Member

My mistake should have added that.

"Health Check: Review roles for unnecessary read or write access to the "investigation_event" collection and remove access if possible."

We only recently began receiving these errors after moving our environment from an on-prem solution to the cloud. We did a fresh install of ES, a clone did not work on at the time.

0 Karma

mtupper
New Member

EDIT: The error is not for "investigative_event" but for "investigative_canvas"

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!