Getting Data In

How to change permissions for a job through the REST API/Python SDK?

Path Finder

I am doing some automation in which I am running some searches through the API, and if any results are found, it emails the link to the job to some users. Everything works as desired except for the fact that, by default, jobs are private so the users do not have access. Is there anyway to programatically change the read permissions to everyone for a job?

Thanks

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Here are a couple ideas from my colleagues:

Go into the UI and change a search job permissions (either “share” or “extend job lifetime”) and then check splunkdrestaccess.log around the same time (index=internal source= splunkdrest_access.log) and see how the UI uses REST to make the change. Splunk Web is simply a front end for the REST API, so if it can be done there it can be done in the API – the trick is seeing how the UI does it (which that search should help you with).

You can also just try to modify the eai:acl.perms.read, eai:acl.perms.write, or eai:acl.sharing properties via a /services/search/jobs/{search_id} POST

Please let us know if either of these lead you to the answer.

View solution in original post

Ultra Champion

I think the answer is at EAI response data cause there's a sharing parameter. Other than that, I thought it was possible to change permissions but done in the same way as any other Knowledge Object and not specific to searches...if that helps.

Splunk Employee
Splunk Employee

Here are a couple ideas from my colleagues:

Go into the UI and change a search job permissions (either “share” or “extend job lifetime”) and then check splunkdrestaccess.log around the same time (index=internal source= splunkdrest_access.log) and see how the UI uses REST to make the change. Splunk Web is simply a front end for the REST API, so if it can be done there it can be done in the API – the trick is seeing how the UI does it (which that search should help you with).

You can also just try to modify the eai:acl.perms.read, eai:acl.perms.write, or eai:acl.sharing properties via a /services/search/jobs/{search_id} POST

Please let us know if either of these lead you to the answer.

View solution in original post

Path Finder

You and @SloshBurch both hit it. I was able to hit https://myserver:8089/services/search/jobs/search_id/acl with a payload of:
perms.read: *
sharing: global

That seemed to do the trick.

Thanks!

0 Karma

Splunk Employee
Splunk Employee

Sorry, splunkd_access will show you the REST calls

0 Karma

Path Finder

Does anything special have to be done to enable logging into the splunkdrestaccess.log? I cannot find it. I have searched the _internal index as well as looked in /opt/splunk/var/log/splunk/ on our search head.
Thanks

0 Karma