Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I create an admin role that doesn't have access to delete_by_keyword?

tchimento
New Member
‎11-30-2018 03:36 PM

There are regulatory guidelines for some institutions, such as banks, that put strict limits on the option to delete data. I need to have that limit.

0 Karma
Reply

tchimento
New Member
‎11-30-2018 03:37 PM

In the Web UI under Settings > Access controls > Roles > New Role, create a role called subadmin [or name of your choice]. In the Capabilities section select ‘add all’ in the Available capabilities.

Next, under the Selected capabilities panel remove:

• delete_by_keyword
• edit_roles

If there are any other capabilities you want to remove from the subadmin role, return them to the Available capabilities panel.

Edit the $SPLUNK_HOME/etc/system/local/authorize.conf file [DO NOT change the $SPLUNK_HOME/etc/system/default/authorize.conf] by adding this entry under the [role_subadmin]:

[role_subadmin]
grantableRoles = subadmin

Save the changes, go back to Access controls > Authentication method and select the ‘Reload authentication configuration’. This will read the Authorize.conf file and apply the changes above.

Assign all the admins to this new role (subadmin) who should not have the ability delete data or to let anyone else delete data. These users will not have that option [delete_by_keyword] in their list of capabilities, nor will they have the role ‘can_delete’.

0 Karma
Reply

tchimento
New Member
‎11-30-2018 03:40 PM

Also note that you MUST keep edit_grantable_roles in the new admin account. That replaces the edit_roles that was disabled/unselected.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...