Dashboards & Visualizations

UserA (power role) can delete knowledge object which he hasn't created nor having write permissions to the knowledge object itself.

kinaba_splunk
Splunk Employee
Splunk Employee

UserA (power role) can delete knowledge object which he hasn't created nor having write permissions to the knowledge object itself.
Scenario is UserB (for example, Admin role) create the knowledge object. Then, UserB doesn’t want UserA (power role) to delete it.
That is why, I check off Write permission for power role on the knowledge object.

Steps are below.

1.Create dashboard named [test] by UserB [admin].
*Create in [Search & Reporting] apps, and choose permission [App] or [All apps].
2.In list screen of dashboards, push [Edit] button of [test].
3.Open [Edit Permissions], and add [read] permission to everyone, and add [write] permission to only UserB [admin].
4. Login as UserA [power role] that have only [power] roll, and push [Edit] button of [test] in list screen of dashboards.

5. Then you will find that you can choose [Delete]

Based on the manual below, NOT ONLY write permission for the app to which Knowledge Object belongs to BUT ALSO write permission
to the knowledge object itself is needed to be deleted. In this scenario, UserB should not delete it.

Manual says below.
Disable or delete knowledge objects
To delete any other knowledge object, your role must have write permissions for the app to which the knowledge object belongs and the knowledge object itself.

http://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Disableordeleteknowledgeobjects

Could you tell me why?

0 Karma
1 Solution

kinaba_splunk
Splunk Employee
Splunk Employee

Write permission to knowledge object will give only a capability to modify the knowledge object (It doesn’t mean
delete capability).
In other words, in order to delete an object from a container(app), the current user must have write permissions
on the container (app). This is as design.

Workaround:
There is no reasonable workaround to stop user to delete the knowledge object even though he hasn’t created
as long as he has write permission on the app the object belongs to.
(In the scenario, if remove [power] role's write permission from [Search & Report], UserB can’t delete it any more.
But at the same time, UserB can’t edit the object which he creates. So, it may be inconvenient.)

View solution in original post

kinaba_splunk
Splunk Employee
Splunk Employee

Write permission to knowledge object will give only a capability to modify the knowledge object (It doesn’t mean
delete capability).
In other words, in order to delete an object from a container(app), the current user must have write permissions
on the container (app). This is as design.

Workaround:
There is no reasonable workaround to stop user to delete the knowledge object even though he hasn’t created
as long as he has write permission on the app the object belongs to.
(In the scenario, if remove [power] role's write permission from [Search & Report], UserB can’t delete it any more.
But at the same time, UserB can’t edit the object which he creates. So, it may be inconvenient.)

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...