Reporting

Why can a user with "User" role not access a lookup definition with "global" sharing and correct read permissions set?

andrewtrobec
Motivator

Hello,

I am trying to expose data within a lookup from a "logic" app to a "presentation" app for users that have the "user" role. To simplify the situation, I have a lookup "lookup_file.csv" with corresponding lookup deinition "lookup_file" in the "logic" app. Both knowledge objects have "global" sharing and permissions set to "read" for the "user" role. Since I am admin I gave "read/write" permissions to the "admin" role.

When I run the search "| inputlookup lookup_file" from the "presentation" app with my admin user I have no issues reading the data. When I run the same command with my user that has the "user" role assigned I get two errors:

1. The lookup table ‘lookup_file' is invalid.
2. The lookup table ‘lookup_file' requires a .csv or KV store lookup definition.

Here is a diagram that explains the situation:

Untitled.pngI have tried many configurations but cannot get the data to load in the "presentation" app with a user that has the "user" role.  What am I missing?

Any help would be greatly appreciated!

Best regards,

Andrew

Labels (1)

rodrigorsilva
Communicator

Hello,

I had the same issue. You and I forgot one of the most important thing. 😀

The main problem is related to app permission, after set permission on file and the definition, go through:

Apps > Manage Apps > "The App that contains the specific target lookup"

Set read permission for the role that contains the user trying to read the lookup file.

0 Karma

SinghK
Builder

You will need a kvstore lookup for this l, then it should work properly.

0 Karma

andrewtrobec
Motivator

@lukas_rudi Have you seen this?  I used lookups, so this may solve.

0 Karma

lukas_rudi
Observer

Thanks, I realised my issue was caused by something much more trivial: I had multiple instances of the splunk web app open, the one with "inputlookup" was searching for the table in the correct context, the one with "lookup" in another app. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This is a well-written question that should be a model for others!

Have you tried giving the User role read access to the Logic App?  I think without that, the access limits for the lookups aren't considered.

---
If this reply helps you, Karma would be appreciated.

andrewtrobec
Motivator

@richgalloway thanks for responding!  I gave the "user" role read access to the "logic" app, but this still changes nothing.  I'm not sure if this helps, but the "user" role is with default configuration.  I was checking the different role capabilities, but I don't see anything that would make a difference.  I added the "admin_all_objects" capability and it started working (obviously), even when the "user" role does not have read access to the "logic" app.  Might it be some sort of capability issue?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

admin_all_objects has too much power for regular user as you know.

Have you give permissions to both lookup file and lookup definitions or are you using only lookup file? What you see when you are looking those via Settings - lookups - ... ?

r. Ismo

andrewtrobec
Motivator

@isoutamo both lookup and lookup definition are shared globally and provide read access to the "user" role as well as read/write to the "admin" role.  I thought that this would be enough to expose the data.

0 Karma

lukas_rudi
Observer

Hi @andrewtrobec , did you ever find a solution to your problem. I am encountering a similar one, in which inputlookup functions as expected, but lookup claims the table does not exist. I am wondering whether this might similarly be a permission problem.

0 Karma

andrewtrobec
Motivator

@lukas_rudi Unfortunately I was unable to resolve this issue.  I'm not sure whether an upgrade would help, I work on 8.0.5 currently.  If you find a solution, though, feel free to update this thread 🙂

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust
If you would like that user-role cannot see it, then just update visible =0 in app.conf
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...