Is it possible to change a report or dashboard's permissions from the rest api?
It is! You will need to POST to the particular configuration's ACL Endpoint.
The above documentation details some example curl commands. You will be interested in POSTing to:
https://localhost:8089/servicesNS/-/-/saved/searches/myreport/acl
and
https://localhost:8089/servicesNS/-/-/data/ui/views/mydashboard/acl
If you need a hand structuring the request body then let me know!
It is! You will need to POST to the particular configuration's ACL Endpoint.
The above documentation details some example curl commands. You will be interested in POSTing to:
https://localhost:8089/servicesNS/-/-/saved/searches/myreport/acl
and
https://localhost:8089/servicesNS/-/-/data/ui/views/mydashboard/acl
If you need a hand structuring the request body then let me know!
Is this able to be done on the search line using the rest command? I can use the rest command to return all the saved searches but not sure how I can add the request body?
Hi @klim,
Unfortunately, not.
| rest can only be used to perform GET requests. You cannot use any other HTTP method.
If you want to do this with a Splunk search (and not a different program like curl) then I would consider a custom command / alert action. There is some old stuff kicking around on Splunkbase that might be able to help but I haven't seen anything that is supported on Splunk 9.x.
I was trying to just see the permissions with the curl of a private saved search but I always return a
"Could not find object id=abc"
Is it not possible to see private objects permissions with an admin user?
curl -k -u username:password https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/abc/acl
Edit: Figured it out. I needed to change the username in the url from admin to the owner of the saved search.
curl -k -u username:password https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/abc/acl
The servicesNS API (services namespace) explicitly uses user/app contexts (namespaces) to fetch results.
servicesNS/<<user>>/<<app>>
In order for the abc search to be shown, it must be visible to that <<user>> in that <<app>>.
You can use the servicesNS/-/-/ endpoint to return all namespace contexts e.g:
curl -k -u username:password https://127.0.0.1:8089/servicesNS/-/-/saved/searches/abc/acl
Darn. Thanks for your help. Probably will go down the custom command route.
https://splunkbase.splunk.com/app/4146
Webtools TA has a custom curl command and can do POST - it's a bit tricky sometimes to get the right data into the headers and body as I believe there was once a bug in the extracting of JSON data used for headers, but if you know python, it's easy enough to tweak it.