Getting Data In

Role capabilities to change Event Type permissions through REST api

dolxor
Path Finder

Hello.

I'm creating an Event Type like this;

curl -k -u RESTUser:RESTPass https://localhost:8089/servicesNS/RESTUser/search/saved/eventtypes \
    -d name="incident_1" \
    --data-urlencode search=search="src_ip=10.0.0.1 sig_id=10001"

My RESTUser is a member of one role, the 'REST_API_User' which has the following capabilities;

rest_apps_management
rest_apps_view
rest_properties_get
rest_properties_set

Then I want to change this Event Type from a private Event Type to an App-wide Event Type. I do this also through the REST API;

curl -k -u RESTUser:RESTPass https://localhost:8089/servicesNS/RESTUser/search/saved/eventtypes/incident_1/acl \
    -d perms.read=* \
    -d perms.write=* \
    -d sharing=app \
    -d owner=RESTUser

However, now I am denied this action with the following error message;

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">User 'RESTUser' with roles { restuser, rest_api_user } cannot write: /nobody/search/eventtypes/incident_1 { read : [ * ], write : [ admin, power ] }, export: global, removable: no</msg>
  </messages>
</response>
  1. Why does it want to write to /nobody/search/...? I spesificially told it to update RESTUser/search/saved/eventtypes/incident_1 - No mention of /nobody/ ..
  2. Why does it say write : [ admin, power ] - is this the default permission when creating an Event Type?
  3. I even tried to add inheritance to the role REST_API_User, to inherit the role "user", but still no luck. If I login to the GUI with the role User added to me I do not see the "Permissions" link behind the "Sharing Private" for the line of this Event Type.
  4. If I add the RESTUser with admin role - everything works nicely.

I am confused as what to do, as I don't want to give a system admin access to my Splunk just to add and update EventType ACL's. Isn't there a way to create an Event Type and simultaneously set the permissions? It seems to default be set to [ admin, power ].

Any advice out there?

gkanapathy
Splunk Employee
Splunk Employee

In addition to all the roles and the event type, you must have write permission to the parent app.

dolxor
Path Finder

Hello. I will try to give RESTUser write to the app.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...