Why is User is not allowed to modify the job error...

kakawun · ‎07-06-2023

Hi all. One of our users cannot upload files to splunk with the error "User is not allowed to modify the job".

The user is a power user but not an admin user.

May I know if we need to amend any settings for it to work? Thanks.

JohnMurphyAus · ‎09-14-2023

We have also started getting this issue after updating Splunk from 8.2 to 9.1.
When I change user role to Admin, they can upload data, when I change back to previous role with the mentioned permissions, they get the same error "User is not allowed to modify the job".

This must be a change in one of the roles in the update, but I'm just trying to figure out which permission is needed for this. My user has the following permissions which is what I read is required to add data:

edit_monitor
indexes_edit
edit_tcp
search

But still no luck. Will update if I find the specific permission required.

kakawun · ‎09-14-2023

I have opened a case and the Splunk Engineering confirmed that there is a bug due to a code change since 9.0.5 version.

The workaround for now is to assign the user with "admin_all_objects" but it is very similar to administrative privileges.

JohnMurphyAus · ‎09-14-2023

Thanks @kakawun this worked. Happy to give users this temporarily. Hopefully Splunk will rectify this bug soon. If you can mark your own comment as an answer I would recommend that! Thanks again.

PickleRick · ‎07-07-2023

Well, normally that's not something you grant a normal user with. Especially that usually data onboarding is either done directly on forwarders or via apps distributed from DS - it's relatively uncommon for production search-heads to do ingestion on their own.

Ayway, the most probable candidate for the capability you need would be edit_monitor, but it allows for much more than just uploading a data file for ingestion.

patrickvanreck · ‎09-15-2023

I agree, but in some cases it makes sense to give a single user the ability to upload logs to a dedicated index (eg. siem detection usecases).

I had to give Admin rights to the server, and that was not the way I wanted to set the permissions.

Kind Regards

Patrick

kakawun · ‎07-07-2023

Thanks for your advice. We have already granted the user with the edit_monitor capability but unfortunately it is not working.

isoutamo · ‎07-07-2023

Hi

I confirm that @PickleRick is 100% right. You should never add data directly on your production environment by some regular user. Actually not even any admin users!

Your onboarding process should contains instructions how users set up they developer splunk instances to do that data onboarding and then how admins will deploy ready TA/Apps to production via git or other repository.

r. Ismo

kamlesh_vaghela · ‎07-07-2023

@kakawun

Can you please check the logged-in user's role and capabilities sufficient to write data?

KV

kakawun · ‎07-07-2023

The user has been assigned with Power role (https://docs.splunk.com/Documentation/Splunk/9.0.5/Security/Rolesandcapabilities) with the below addition capabilities:

edit_monitor
indexes_edit
edit_tcp

Thanks.

patrickvanreck · ‎08-30-2023

Hi,
I tried to add the capabilities listed above, but the user get still the same answer back as before:
User is not allowed to modify the job

jvarner92 · ‎06-18-2024

the missing role is admin_all_objects

Why is User is not allowed to modify the job error?

data

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!