Dashboards & Visualizations

After removing permission dashboard_role from "Search & Reporting", why do users get Error Message 404 trying to view a custom app (template sample app)?

nikkkc
Path Finder

I have almost the same problem as the user on the following post:
https://answers.splunk.com/answers/111356/restrict-user-to-view-only-specified-dashboards-in-one-app...

I did nearly the same steps to build a custom app (I used the template sample app). I built specific Dashboards for a "normal" User.
Everything is working perfectly as long as I leave the role for "search & reporting" in the user group, but if I remove the permission dashboard_role from "search & Reporting", user gets error message http 404.

I want to mention that I have a few apps with role permissions and they work fine. I copied all the capabilities from the standard user role. Additionally, I checked the View permissions, Settings>>User Interface. The view for search is read Everyone.

Can someone help me please,
thanks in advance

In the webservice.log, there is the following entry:

WARNING [56829eda99aa94851240] appnav:379 - An unknown view name "dashboards" is referenced in the navigation definition for "Custom_Dashboard_App".
INFO    [56829eda99aa94851240] error:129 - Masking the original 404 message: 'Splunk cannot find the  "dashboards" view.' with 'Page not found!' for security reasons
0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

There are too many features, commands, etc that depend on the search and reporting app for you to just arbitrarily disable it for specific users. Somewhere in the documentation it mentions that ALL USERS MUST have access to the searching & reporting app, but I cant find a link to point you to.

Of course you'll find many people who have "made" this work, but I'm certain they ran into issues they havent mentioned in their threads where the "made" it work.

Here's just one issue that arises without access to search and reporting app:
https://answers.splunk.com/answers/316335/how-users-without-read-permission-on-search-app-ca.html

In short... DO NOT DISABLE THE SEARCH AND REPORTING APPLICATION FOR ANYONE.

Making it invisible also has unintended consequences because you cant just make it invisible to specific users and many of the administrative menus are in the search and reporting app. You could reverse engineer the entire app... looking over all the code to ensure you update file system paths, etc. You'll first end up with duplicate entries in your administrative menus. To fix that you'll have to remove the navigational settings from the app the users can see, but leave the commands in /bin... and then remove the commands from the admin app but leave the navigational & html / view settings etc. It can be done, but it will not be supported by splunk. You'll in effect ruin any possibility of a "seamless" upgrade path and probably not get any support from Splunk.

View solution in original post

jkat54
SplunkTrust
SplunkTrust

There are too many features, commands, etc that depend on the search and reporting app for you to just arbitrarily disable it for specific users. Somewhere in the documentation it mentions that ALL USERS MUST have access to the searching & reporting app, but I cant find a link to point you to.

Of course you'll find many people who have "made" this work, but I'm certain they ran into issues they havent mentioned in their threads where the "made" it work.

Here's just one issue that arises without access to search and reporting app:
https://answers.splunk.com/answers/316335/how-users-without-read-permission-on-search-app-ca.html

In short... DO NOT DISABLE THE SEARCH AND REPORTING APPLICATION FOR ANYONE.

Making it invisible also has unintended consequences because you cant just make it invisible to specific users and many of the administrative menus are in the search and reporting app. You could reverse engineer the entire app... looking over all the code to ensure you update file system paths, etc. You'll first end up with duplicate entries in your administrative menus. To fix that you'll have to remove the navigational settings from the app the users can see, but leave the commands in /bin... and then remove the commands from the admin app but leave the navigational & html / view settings etc. It can be done, but it will not be supported by splunk. You'll in effect ruin any possibility of a "seamless" upgrade path and probably not get any support from Splunk.

nikkkc
Path Finder

Ok is it possible to make it unvisible for a specific usergroup?

0 Karma

jkat54
SplunkTrust
SplunkTrust

It's certainly possible, but it will cause unintended consequences. If you just remove read & write access to a specific role, then users in that specific role will not see it any more. They might also have unintended difficulties such as some commands not working, menus not available etc.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...