Reporting

403 error following saved-search link

grahampoulter
Path Finder

An unprivileged user following the "Link to results" for the scheduled search email globally-shared saved search on Splunk 4.2 (Windows x64) that was created by admin results in a 403 error, but replacing the @go in the URL with "flashtimeline" shows the results.

Steps to reproduce:

  • Create a saved search from admin role, schedule it, and share with app or globally. That is, give read permission for Everyone.
  • Follow the "Link to Results" in the scheduled email, logging in as unprivileged User: Link to results: http://example.com:8000/app/search/@go? sid=scheduler__admin__search_TGl2ZSBXTUkgU1FMIEV4Y2VwdGlvbnM_at_1309182600_34add1b3a8f9c6a6
  • Receive 403 error >AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; None`

If you replace the @go in the link with "flashtimeline", there is no 403 error and the search results display.

Alternatively, if you log in as an admin role instead of a user role, there is no 403 error and search results display.

I think there is a bug in the handling of the the @go part of the URL, causing a 403 response to users who are not admin or owner of the saved search, despite global sharing with "Everyone".

Related to Q10946

The user role already has the rest_properties_get capability.

1 Solution

piebob
Splunk Employee
Splunk Employee

this is a known issue in at least 4.2.2, filed as SPL-40451. as you note, the workaround (until a fix is included in a maintenance release) is to change .../@go?sid=.... to .../flashtimeline?sid=... in the URL within the email.

View solution in original post

piebob
Splunk Employee
Splunk Employee

this is a known issue in at least 4.2.2, filed as SPL-40451. as you note, the workaround (until a fix is included in a maintenance release) is to change .../@go?sid=.... to .../flashtimeline?sid=... in the URL within the email.

Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...