Monitoring Splunk

Is it possible to devolve access to DMC to users other than admin role users?

340213
Engager

Hi - I've been trying to test to see if it is possible to provide access to the DMC to a role outside of a Splunk Administrator user.

I'm trying to create a role which would be used solely to monitor the state of the instance yet not give full admin rights.

I've granted the role read and write access to the DMC application and a member of the role can see the app however when logging on as said user and looking at the instances all hosts are showing as 'Unreachable'. Logging on as an admin shows the instances as being 'Up'.

I've increased the rights of the lesser role to have admin_all_rights and the role can see all internal and non-internal indexes however this one issue still persists?

Any ideas on what else I need to change to correct this?

MuS
Legend

Hi 340213,

you can create a new role with these settings:

[role_mc-users]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
dispatch_rest_to_indexers = enabled
importRoles = power;user
license_tab = enabled
list_deployment_client = enabled
list_deployment_server = enabled
list_forwarders = enabled
list_health = enabled
list_httpauths = enabled
list_indexer_cluster = enabled
list_indexerdiscovery = enabled
list_search_head_clustering = enabled
list_search_scheduler = enabled
list_settings = enabled
rest_properties_get = enabled
list_health = enabled
rest_apps_view = enabled
list_indexer_cluster = enabled
list_search_head_clustering = enabled
edit_dist_peer = enabled
srchIndexesAllowed = _*
srchIndexesDefault = _*
srchMaxTime = 0

and allow this role read access to the Monitoring Console app. This will do the task.

Hope this helps ...

cheers, MuS

0 Karma

340213
Engager

Managed to work this out with a bit of testing...

I created a role based on the Splunk power user role, provided read/write permissions to the application and added the following capabilities:

  • edit_dist_peer
  • license_edit

This has allowed all graphs to display correctly and all instances are now showing as Up.

awurster
Contributor

i couldnt get this to work. could you be a bit more precise with your steps please and/or post code?

i've tried everything - also added "admin_all_objects" capabilities as suggested in the DMC app guide - but that neither works for me or makes any real sense:

http://docs.splunk.com/Documentation/Splunk/6.2.8/Admin/ConfiguretheMonitoringConsole

0 Karma

kmanson
Path Finder

The only section which does not populate with these changes is the Alert section. It appears the search below does not return results to the limited user. Any Ideas what permissions this search needs? If it matters this is DMC on Splunk 6.3.1.
rest splunk_server=local /services/search/distributed/peers/
| where status!="Up"
| fields peerName, status
| rename peerName as Instance, status as Status

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...