Getting Data In

Is it possible to run an inputlookup command to a kvstore/CSV that has permissions only for that app?

joao_amorim
Communicator

Is it possible to run an inputlookup command to a kvstore that has permissions only for that app, outside that same app?

What I want to know is, if there are some admin privileges that can be used to make a kvstore available outside its app when it has permissions only for that app.

I was trying to find a way to do that, but until now I haven't succeeded.

If that's not possible, do you know if there are some rest endpoints that I can use to recursively iterate through every app and call an inputlookup inside that app to retrieve it's csv's or kvstores?

Thanks in advance

0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

Splunk permissions exist to prevent exactly that. Any knowledge object scoped to an app context can only be accessed from within that app context, by users who are authorized to use that app context. Or by an administrator, obviously.
The REST endpoints are subject to the same authorization checks, the UI sits on top of the REST endpoints.

You can certainly create a script that iterates over all installed apps, identifies defined lookups and tries to read them using an administrator ID.

What is your use case, do you want to produce some sort of an inventory of lookup definitions backed by KVStore?

View solution in original post

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Splunk permissions exist to prevent exactly that. Any knowledge object scoped to an app context can only be accessed from within that app context, by users who are authorized to use that app context. Or by an administrator, obviously.
The REST endpoints are subject to the same authorization checks, the UI sits on top of the REST endpoints.

You can certainly create a script that iterates over all installed apps, identifies defined lookups and tries to read them using an administrator ID.

What is your use case, do you want to produce some sort of an inventory of lookup definitions backed by KVStore?

0 Karma

joao_amorim
Communicator

Yes i want to create a saved search to from times to times save all CSV's and KVstoresin an index.

So every time it will search for all CSV's and KVstores and if something is different from what it was in the index it updates the index.

It's like a version system to CSV's and KVstores.

When you say: "... by users who are authorized to use that app context. Or by an administrator, obviously."
You are saying that if I'm an admin you can do inputlookup in the Search & Report app, for example, and access the KVstores with permissions only for that app?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...