Getting Data In

How to change permissions for a job through the REST API/Python SDK?

chrishartsock
Path Finder

I am doing some automation in which I am running some searches through the API, and if any results are found, it emails the link to the job to some users. Everything works as desired except for the fact that, by default, jobs are private so the users do not have access. Is there anyway to programatically change the read permissions to everyone for a job?

Thanks

0 Karma
1 Solution

adauria_splunk
Splunk Employee
Splunk Employee

Here are a couple ideas from my colleagues:

Go into the UI and change a search job permissions (either “share” or “extend job lifetime”) and then check splunkd_rest_access.log around the same time (index=_internal source= splunkd_rest_access.log) and see how the UI uses REST to make the change. Splunk Web is simply a front end for the REST API, so if it can be done there it can be done in the API – the trick is seeing how the UI does it (which that search should help you with).

You can also just try to modify the eai:acl.perms.read, eai:acl.perms.write, or eai:acl.sharing properties via a /services/search/jobs/{search_id} POST

Please let us know if either of these lead you to the answer.

View solution in original post

sloshburch
Splunk Employee
Splunk Employee

I think the answer is at EAI response data cause there's a sharing parameter. Other than that, I thought it was possible to change permissions but done in the same way as any other Knowledge Object and not specific to searches...if that helps.

adauria_splunk
Splunk Employee
Splunk Employee

Here are a couple ideas from my colleagues:

Go into the UI and change a search job permissions (either “share” or “extend job lifetime”) and then check splunkd_rest_access.log around the same time (index=_internal source= splunkd_rest_access.log) and see how the UI uses REST to make the change. Splunk Web is simply a front end for the REST API, so if it can be done there it can be done in the API – the trick is seeing how the UI does it (which that search should help you with).

You can also just try to modify the eai:acl.perms.read, eai:acl.perms.write, or eai:acl.sharing properties via a /services/search/jobs/{search_id} POST

Please let us know if either of these lead you to the answer.

chrishartsock
Path Finder

You and @SloshBurch both hit it. I was able to hit https://myserver:8089/services/search/jobs/search_id/acl with a payload of:
perms.read: *
sharing: global

That seemed to do the trick.

Thanks!

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

Sorry, splunkd_access will show you the REST calls

0 Karma

chrishartsock
Path Finder

Does anything special have to be done to enable logging into the splunkd_rest_access.log? I cannot find it. I have searched the _internal index as well as looked in /opt/splunk/var/log/splunk/ on our search head.
Thanks

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...