Re: Splunk Distributed Management Console read onl...

cafissimo · ‎06-07-2018

Hello,
please I would like to know if and how is possible to define/create a user that has only the capability to navigate through the Splunk Distributed Management Console, without the possibility to make any changes.
The user should not be able to do anything else, other than viewing DMC dashboards: he should be like a "read only" admin.

Thanks in advance and kind regards.

joebisesi · ‎06-07-2018

You can create a new role and via default.meta give that role read access. But for any of the dashboards to populate that role will also need multiple capabilities, including search. That role will also need access to specific indexes. Which, by your request, will not accomplish what you want. I'm sure there would be a way of recreating the DMC dashboards in a custom made app, that would remove any navigation capabilities outside of the dashboards you want the user to see. I have a feeling that may be way more effort than its worth to do that.

The short version is, I don't know a quick solution or even a moderately easy solution. Keep in mind the DMC accesses a lot of data from many sources. Keep in mind for any search to work the user has to have access to search in addition to the indexes that hold the data.

laurencmcminn · ‎06-07-2018

Have you tried using roles to define exactly what the users can do and then grouping them into those roles?
There is more information here about user role capabilities. You should be able to limit what they can do to only allow them to view the DMC dashboards and do nothing else. You can even set the search jobs limit so that they cannot search otherwise.

I hope this helps!

Splunk Distributed Management Console read only user

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup