I am trying to create a user account that can access one and only one apps and only view some dashboards within that apps. Nothing else.
What I have done so far:
1. Created a custom apps called myapps
2. published some dashboards within that apps
3. Crated a custom role called "dashboard_role"
4. Allowed the capabilities that are allowed in user role defined in the system. I am not comfortable with same privilege as user roles.
5. Created a user called dashboard_user and put this user in dashboard_role and assigned default apps to myapps
6. Allowed dashboard_user to myapps and "Search & Reporting" read permission from manage permission in apps.
7. Specified dashboards within this apps has everyone read permission
I have two questions:
The minimum capabilities required for a dashboard user are rest_properties_get (without which they can event launch home screen) and search (every dashboard in turns runs a search, so needed).
If a user has these two capabilities and access to a default app, you can remove access to "Search and Reporting" app.[Just tested the same]
Regarding the 404 error said, either the default app is not set or the it was trying to launch "Search and Reporting" app, may be because it was on that app and logged out (this is where the permission was changed) and when logged back, it will try to take to same screen. You should see the error message for more details.
Thank you for your response.
OK, I have removed all the capabilities except two you mentioned. I can login as dashboard_user as long as the dashboard_role has access to "search & Reporting". The moment I take the permission out for the above role from "search & reporting", user cannot login anymore. Error message "404 not found" and "Splunk cannot find the 'dashboards' view"
I noticed that even with only two capabilities dashboard_user (when allowed access in search & reporting, without which user cannot login) was able to create a new dashboard, which I certainly do not want for this user.
search, and probably the
rest_properties_getcapabilities. The remainder may or may not be needed by your dashboard, I don't know. You can read about capabilities here http://docs.splunk.com/Documentation/Splunk/latest/admin/authorizeconf
Thank you for responding to my post.
My intention is to restrict the dashboard_user to anything other than exclusively permitted dashboards, not even any additional searches.
For example, simple search string for two of my panels in the dashboard
sourcetype=cisco_wsa_squid | eval download=sc_bytes/1024/1024 | stats sum(download) by host
eventtype=ironport_proxy | eval MegaByte=sc_bytes/1048576 | stats max(MegaByte) by "Display Name" | sort limit=10 max(MegaByte) desc
How can I achieve this.
The default apps for the role is already "myapps" and myapps has everyone read permission.