Deployment Architecture

What is capability required to avoid authorization error when trying to to access Extractions (Settings>Fields>...) that you just created and saved?

ksoucy
Path Finder

User receives the following authorization error when trying to access extractions that they just created and saved:
AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS//search/properties/app?fillcontents=1

Admin user verifies the extractions exist, and they do work/apply when the user is searching data in Splunk Web. However the user who created and "owns" the extraction can not access the Settings>Fields> section to see them.

Users role capabilities are (paste is from authorize.conf, but roles were created in splunk web):
admin_all_objects = enabled
change_own_password = enabled
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
get_metadata = enabled
pattern_detect = enabled
schedule_search = enabled
search = enabled
search_process_config_refresh = enabled
srchIndexesAllowed = lvmv
srchIndexesDefault = lvmv
srchMaxTime = 0

Descriptions of capabilities in Splunk docs are too high level to be of real help.

1 Solution

ksoucy
Path Finder

Resolved, by adding one capability at a time and testing (eliminating those capabilities that are obviously not involved - like system-level stuff). Turns out its the "rest_properties_get" capability. I never would have guessed this from the description of the capabilty in the docs: rest_properties_get Can get information from the services/properties endpoint.

View solution in original post

ksoucy
Path Finder

Resolved, by adding one capability at a time and testing (eliminating those capabilities that are obviously not involved - like system-level stuff). Turns out its the "rest_properties_get" capability. I never would have guessed this from the description of the capabilty in the docs: rest_properties_get Can get information from the services/properties endpoint.

hhGA
Communicator

Hi,

Have you tried the edit_sourcetypes capability?

0 Karma

ksoucy
Path Finder

FYI - users id was removed from the URL posted above, but it appears between the "//"

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...