Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is capability required to avoid authorization error when trying to to access Extractions (Settings>Fields>...) that you just created and saved?

ksoucy
Path Finder
‎05-03-2017 07:30 AM

User receives the following authorization error when trying to access extractions that they just created and saved:
AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS//search/properties/app?fillcontents=1

Admin user verifies the extractions exist, and they do work/apply when the user is searching data in Splunk Web. However the user who created and "owns" the extraction can not access the Settings>Fields> section to see them.

Users role capabilities are (paste is from authorize.conf, but roles were created in splunk web):
admin_all_objects = enabled
change_own_password = enabled
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
get_metadata = enabled
pattern_detect = enabled
schedule_search = enabled
search = enabled
search_process_config_refresh = enabled
srchIndexesAllowed = lvmv
srchIndexesDefault = lvmv
srchMaxTime = 0

Descriptions of capabilities in Splunk docs are too high level to be of real help.

Reply
1 Solution
Solved! Jump to solution
Solution

ksoucy
Path Finder
‎05-03-2017 10:51 AM

Resolved, by adding one capability at a time and testing (eliminating those capabilities that are obviously not involved - like system-level stuff). Turns out its the "rest_properties_get" capability. I never would have guessed this from the description of the capabilty in the docs: rest_properties_get Can get information from the services/properties endpoint.

View solution in original post

Reply
Solved! Jump to solution
Solution

ksoucy
Path Finder
‎05-03-2017 10:51 AM

Resolved, by adding one capability at a time and testing (eliminating those capabilities that are obviously not involved - like system-level stuff). Turns out its the "rest_properties_get" capability. I never would have guessed this from the description of the capabilty in the docs: rest_properties_get Can get information from the services/properties endpoint.

Reply
Solved! Jump to solution

hhGA
Communicator
‎05-03-2017 08:10 AM

Hi,

Have you tried the edit_sourcetypes capability?

0 Karma
Reply
Solved! Jump to solution

ksoucy
Path Finder
‎05-03-2017 07:31 AM

FYI - users id was removed from the URL posted above, but it appears between the "//"

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...