Reporting

How can we enforce auto for Schedule Window?

Ultra Champion

Speaking with @woodcock about this case at What time frame does the auto for Schedule Window cover?

We would like to enforce auto for the Schedule Window option.

My understating there was -

If we don't give the edit_search_schedule_window capability to anyone, all will be set to auto without the ability to change it - sounds good to me ; -)

However, we tested it and it was said -

I was doing some testing around the edit_search_schedule_window capability and in my testing, which may be inaccurate, removing that capability removed more than just the ability to leverage/modify the schedule window…it also removed the user’s ability to schedule searches. This is in light of the role still having the schedule_search capability.

Looks like this is affecting report scheduling… alert scheduling appears to be fine. More testing needed.

Tags (1)
1 Solution

SplunkTrust
SplunkTrust

I can confirm that with schedule_search capability only, we can't schedule Report. It looks like for Report Scheduling edit_search_schedule_window capability is also require. And splunk by default ships edit_search_schedule_window capability with user role, so which means that to schedule any report we require both the capabilities (edit_search_schedule_window and search) OR might be a bug ?

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

I can confirm that with schedule_search capability only, we can't schedule Report. It looks like for Report Scheduling edit_search_schedule_window capability is also require. And splunk by default ships edit_search_schedule_window capability with user role, so which means that to schedule any report we require both the capabilities (edit_search_schedule_window and search) OR might be a bug ?

View solution in original post

0 Karma

Esteemed Legend

I would open a support case.

0 Karma

Ultra Champion

Much appreciated @harsmarvania57 and @woodcock !!! I'll open a support case.

0 Karma

Ultra Champion

Support is saying -

-- As fas a I know I have came across this issue before and this is not a bug effectively you need both of these capabilities to be able to schedule reports.

Does it make sense?

0 Karma

Esteemed Legend

Push back and ask them Then why bother having 2 settings instead of just 1?

0 Karma

Ultra Champion

oh oh @woodcock - will do ; -)

0 Karma

Esteemed Legend

Don't get your hopes up. Also ask them to document this on the docs page somewhere.

0 Karma

Ultra Champion

I know. I dealt with them quite a bit - more during the Hunk period of mine ; -)

0 Karma

Ultra Champion

Ok, Support got back to us pointing to https://docs.splunk.com/Documentation/Splunk/7.2.4/Security/Rolesandcapabilities

it says there -

-- Schedule search -> Lets the user schedule saved searches, create and update alerts, and review triggered alert information.
editsearchschedulewindow -> Lets the user assign schedule windows to scheduled reports. Requires the schedulesearch capability. For more about the search scheduler, see the Knowledge Manager Manual.

The supporter added -

-- So, maybe the fact that you need both is due to the fact that schedule reports are like a saved searches that can have schedule windows.

Let me know what you think.

0 Karma

Esteemed Legend

Splunk documentation is unbelievably excellent in almost every area EXCEPT FOR capabilities. There is no clear mapping of exactly what each one does and which ones need to be grouped together for certain functions. We always resort to experimentation in this area. On person who has done much of this is @pmalcakdoj, who may be able to share on this topic.

Path Finder

I haven't done any work in that particular area, so I'm not sure either.
I do echo the same sentiment as above: splunk's capabilities logic is a magic blackbox.

One potential solution to the original question could be to use CSS/JS to hide/remove the Schedule Window option from UI.
It's a bandaid fix at best, I know.

Ultra Champion

Much appreciated @pmalcakdoj !!!

0 Karma

Ultra Champion

Thank you @woodcock !!! any ideas, by any chance, @pmalcakdoj?

0 Karma