Solved: What is the role capability required to view all t...

mala_splunk_91 · ‎08-07-2022

What is the role capability required to view all the indexes in splunk cloud settings?

We have below capabilities in place

accelerate_datamodel
accelerate_search
acs_conf
admin_all_objects
apps_backup
apps_restore
change_authentication
change_own_password
cloud_internal
customer_cases
delete_by_keyword
delete_messages
dispatch_rest_to_indexers
dmc_deploy_apps
dmc_deploy_token_http
dmc_manage_topology
edit_authentication_extensions
edit_auto_ui_updates
edit_bookmarks_mc
edit_cmd
edit_deployment_client
edit_deployment_server
edit_dist_peer
edit_encryption_key_provider
edit_field_filter
edit_forwarders
edit_global_banner
edit_health
edit_health_subset
edit_httpauths
edit_indexer_cluster
edit_indexerdiscovery
edit_ingest_rulesets
edit_input_defaults
edit_ip_allow_list
edit_kvstore
edit_local_apps
edit_log_alert_event
edit_manager_xml
edit_metric_schema
edit_metrics_rollup
edit_modinput_journald
edit_monitor
edit_own_objects
edit_restmap
edit_roles
edit_roles_grantable
edit_scripted
edit_search_concurrency_all
edit_search_concurrency_scheduled
edit_search_head_clustering
edit_search_schedule_priority
edit_search_schedule_window
edit_search_scheduler
edit_search_server
edit_server
edit_server_crl
edit_sourcetypes
edit_splunktcp
edit_splunktcp_ssl
edit_splunktcp_token
edit_statsd_transforms
edit_tcp
edit_tcp_stream
edit_telemetry_settings
edit_token_http
edit_tokens_all
edit_tokens_own
edit_tokens_settings
edit_udp
edit_upload_and_index
edit_user
edit_view_html
edit_watchdog
edit_web_features
edit_web_settings
edit_webhook_allow_list
edit_workload_policy
edit_workload_pools
edit_workload_rules
embed_report
export_results_is_visible
fsh_manage
fsh_search
get_diag
get_metadata
get_typeahead
indexes_edit
indexes_list_all
input_file
install_apps
license_edit
license_read
license_tab
license_view_warnings
list_accelerate_search
list_all_objects
list_cascading_plans
list_deployment_client
list_deployment_server
list_dist_peer
list_forwarders
list_health
list_health_subset
list_httpauths
list_indexer_cluster
list_indexerdiscovery
list_ingest_rulesets
list_inputs
list_introspection
list_metrics_catalog
list_pipeline_sets
list_remote_input_queue
list_remote_output_queue
list_search_head_clustering
list_search_scheduler
list_settings
list_storage_passwords
list_token_http
list_tokens_all
list_tokens_own
list_tokens_scs
list_workload_policy
list_workload_pools
list_workload_rules
merge_buckets
metric_alerts
never_expire
never_lockout
output_file
pattern_detect
phantom_read
phantom_write
read_internal_libraries_settings
refresh_application_licenses
request_pstacks
request_remote_tok
rest_access_server_endpoints
rest_apps_management
rest_apps_view
rest_properties_get
rest_properties_set
restart_reason
restart_splunkd
rtsearch
run_collect
run_commands_ignoring_field_filter
run_custom_command
run_debug_commands
run_dump
run_mcollect
run_msearch
run_noah_command
run_sendalert
run_walklex
schedule_rtsearch
schedule_search
search
search_process_config_refresh
select_workload_pools
upload_lookup_files
upload_mmdb_files
use_file_operator
use_remote_proxy
web_debug

gcusello · ‎08-09-2022

Hi @mala_splunk_91,

you could try to enable the "Indexes List All" feature, but anyway, you have also to give grants on indexes to your role.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎08-07-2022

Hi @mala_splunk_91,

if you are asking to see data in indexes, this capability is associated to a role but it isn't a feature,

the access to indexes is configured in a different tab (the third) of the role definition.

Ciao.

Giuseppe

mala_splunk_91 · ‎08-08-2022

Yes, the person associated with that role (with capabilities) not able to see "indexes" listed in the settings.

On the third tab for 3.indexes, the role got all the indexes included and save.

So, my question here is , What capability is required for a role to view "indexes" listed in the settings?
or Is there any other permission need to be given?

gcusello · ‎08-08-2022

Hi @mala_splunk_91,

if you're speaking of a distributed architecture, Search Heads' users cannot see indexes because they are on different servers (Indexers), sometimes, some administrators create indexes on Search Heads, not to use them, but only to give a list of possible indexes for the users, but anyway they aren't usable.

In addition if you have a Search Head Cluster, many features (as indexes list) are disabled for all the users because it isn't possible to manage them.

If you're speaking of a stand-alone server, if a user has the grants to access an index, he can see it in the listed indexes.

In conclusion, as I already said, there isn't a special feature to see indexes.

Ciao.

Giuseppe

mala_splunk_91 · ‎08-08-2022

Thank you Giuseppe.

But, Is this case true for Splunk cloud?

Regards,

Mala S

gcusello · ‎08-08-2022

Hi @mala_splunk_91,

on Splunk Cloud, you should see all the indexes enabled for your role.

Ciao.

Giuseppe

mala_splunk_91 · ‎08-09-2022

@gcusello If yes, I can see only this view in the Splunk cloud settings.
There is not "indexes" option under DATA.
So, my questions is , Is there any capability am I missing to view this option?

What capability required to see "indexes" under DATA

Thanks,

Mala S

gcusello · ‎08-09-2022

Hi @mala_splunk_91,

you could try to enable the "Indexes List All" feature, but anyway, you have also to give grants on indexes to your role.

Ciao.

Giuseppe

mala_splunk_91 · ‎08-10-2022

@gcusello
Index_list_all enabled on the role. Also, all the indexes are enabled (screenshots below).

What do I miss?

Thanks,

Mala S

gcusello · ‎08-10-2022

Hi @mala_splunk_91,

for my knowledge, this should be sufficient, open a ticket to Splunk Support.

Ciao.

Giuseppe

jonaclough · ‎02-17-2023

My use-case is that I want to create a role which has access to all indexes. However I don't to have to be updating this role every time a new index is onboarded. And I don't want to overprovision users with admin access.

Is this possible?

We're on-prem 8.2.2

gcusello · ‎02-17-2023

Hi @jonaclough,

you have an option in role definition of accessing all not internal indexes, but I don't know if this is compatible with your security requirements,

otherwise, you have to manually add every new index.

Even if, I don't know in your situation, but usually creation of a new index shouldn't be a so frequent action!

Ciao.

Giuseppe

jonaclough · ‎02-20-2023

I can't believe I never noticed that option!

We create indexes weekly so this will be very useful 🙂

gcusello · ‎02-20-2023

Hi @jonaclough,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

What is the role capability required to view all the indexes in splunk cloud settings?

index

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM