Getting Data In

Why is User is not allowed to modify the job error?

kakawun
Explorer

Hi all.  One of our users cannot upload files to splunk with the error "User is not allowed to modify the job".

The user is a power user but not an admin user.

May I know if we need to amend any settings for it to work? Thanks.

 

splunk_error.PNG

 

Labels (1)
Tags (1)

JohnMurphyAus
Path Finder

We have also started getting this issue after updating Splunk from 8.2 to 9.1.
When I change user role to Admin, they can upload data, when I change back to previous role with the mentioned permissions, they get the same error "User is not allowed to modify the job". 

This must be a change in one of the roles in the update, but I'm just trying to figure out which permission is needed for this. My user has the following permissions which is what I read is required to add data:

  • edit_monitor
  • indexes_edit
  • edit_tcp
  • search

But still no luck. Will update if I find the specific permission required.

0 Karma

kakawun
Explorer

I have opened a case and the Splunk Engineering confirmed that there is a bug due to a code change since 9.0.5 version.

The workaround for now is to assign the user with "admin_all_objects" but it is very similar to administrative privileges.

 

JohnMurphyAus
Path Finder

Thanks @kakawun this worked. Happy to give users this temporarily. Hopefully Splunk will rectify this bug soon. If you can mark your own comment as an answer I would recommend that! Thanks again.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Well, normally that's not something you grant a normal user with. Especially that usually data onboarding is either done directly on forwarders or via apps distributed from DS - it's relatively uncommon for production search-heads to do ingestion on their own.

Ayway, the most probable candidate for the capability you need would be edit_monitor, but it allows for much more than just uploading a data file for ingestion.

patrickvanreck
Explorer

I agree, but in some cases it makes sense to give a single user the ability to upload logs to a dedicated index (eg. siem detection usecases).

I had to give Admin rights to the server, and that was not the way I wanted to set the permissions.

Kind Regards

Patrick

0 Karma

kakawun
Explorer

Thanks for your advice. We have already granted the user with the edit_monitor capability but unfortunately it is not working.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I confirm that @PickleRick is 100% right. You should never add data directly on your production environment by some regular user. Actually not even any admin users!

Your onboarding process should contains instructions how users set up they developer splunk instances to do that data onboarding and then how admins will deploy ready TA/Apps to production via git or other repository.

r. Ismo

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@kakawun 

Can you please check the logged-in user's role and capabilities sufficient to write data?

KV

0 Karma

kakawun
Explorer

The user has been assigned with  Power role (https://docs.splunk.com/Documentation/Splunk/9.0.5/Security/Rolesandcapabilities) with the below addition capabilities:

edit_monitor
indexes_edit
edit_tcp

 

Thanks.

0 Karma

patrickvanreck
Explorer

Hi,
I tried to add the capabilities listed above, but the user get still the same answer back as before:
User is not allowed to modify the job

0 Karma

jvarner92
Splunk Employee
Splunk Employee

the missing role is admin_all_objects

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...