Help Please. Splunk 6.6.3 - SHC - search app -> dashboards.
In this environment the production Splunk needs to be read-only.
One of the items that we came across is that users can still create dashboards and embed searches in them to get around the no modification rule.
Now following this in answers
I was able to allow only the admins to see and create dashboards, but the users couldn’t even see any dashboards not even those assigned to them.
Keep in mind I’m not a JS coder, but there were no errors, so it was good right :-). When modifying the code - Splunk\share\splunk\search_mrsparkle\exposed\js\build\dashboardspage.js it also caused errors with the manifest being out of sync.
When I inspect the dashboard page, I can see the code:
<div class="add-dashboard-controls pull-right"> <button class="btn btn-primary add-dashboard">Create New Dashboard</button> </div>
I cannot seem to find which XML file contains this. So, the real question; is there a way to remove the create new dashboard button, if so, which xml file contains it, I have searched through them all, I think. I cannot find this code in any of the dashboard(x).xml files.
As we will be upgrading to 7.x in the near future (within 6 months) modifying mrsparkle also creates issues as now that code needs to be maintained across upgrades there has to be somewhere that we can modify the dashboard to exclude the button and place it in a local directory
Thanks in advance for any assistance / guidance.
Even if you hide all buttons users that have the permission to search an index can run arbitrary searches on that index. Educate your users instead of attempting to lock them out.
Make sure scheduled searches aren't owned by low-privilege users.
Yes, working on getting all scheduled searches owned by a svc account no individual users. but there are thousands to go through. It's a process for sure.
The same applies to creating private dashboards - if you give me a user and connectivity to the Splunk UI or REST ports I'll create a dashboard 🙂
You mentioned scheduling - THAT is easily restrictable because there is a capability for that in authorize.conf:
[capability::schedule_rtsearch] * Lets a user schedule real time saved searches. The scheduled_search scheduled_search and rtsearch capabilities must be enabled for the role. [capability::schedule_search] * Lets a user schedule saved searches, create and update alerts, and review triggered alert information.
Take that away from your users and they won't be able to schedule things. They shouldn't have it in a look-but-don't-touch scenario anyway.
Yes, agreed, for those that know their way around. we do assign the users to groups and assign those groups their own apps / dashboards, they don't see standard components.
You mention restricting capabilities in authorize - whole different can of worms. We did set schedule_search = disable but that also prevented them from running scheduled searches so I have to revisit that one and figure that out as well. Documentation says only for new searches not for existing scheduled searches. Different topic for different thread if I can prove that is the problem.
It's not a matter of restricting the search functionality, that is fine, they can search within their index structure. It is more the matter of creating a dashboard that they have local and scheduling it to run every minute. Initially this system had over 2k searches running every minute, we are trying to prevent them from getting back to that.
The education part, totally agree, every user is required to take training through power user training before getting access to Splunk. They do have the knowledge, there are monthly training sessions and a weekly blog. All of the best practices have been outlined, but there are those that have the mindset that theirs is the most important application of all time, even when you tell them it isn't 🙂
In lieu of the user ignoring what has been said and what they have learned, we try to control what damage they can do in prod, they do have a development and a QA environment in which to test. Prod data is replicated to QA so they have "live" data.
I'm just looking for a method to remove the "Create New Dashboard" button, without having to main a whole library of changes to also test / install every time a upgrade takes place.