Reporting

where can I see if my saved search/report is running as "owner" for another user who do not have access to index.

sgundeti
Path Finder

hi,

I am trying to restrict a user with role no access to any indexes and trying to share a report at app level( with read access to app) to make user see results by running it as owner. but it doest show any results for user when the user clicks on run from searchs,reports and alerts settings.

I believe its barely simple and straight forward , can someone point out if I miss anything here?

I can share my setting if someone wants to look at more deeply. I am on 6.5.2.

Thanks in advance.

Update 1: more info

I managed to see the job properties using | rest /services/search/jobs and co-relate with search index=_audit action=search info=granted search=*. It seems job is running as user instead as owner.
I could see both owner and user fields have user values for the job.

0 Karma
1 Solution

sgundeti
Path Finder

I managed to find answer to my question via slack channel!
flaw to my approach is user is running saved search from search bar which means splunk will treat it as normal search job by user hence in my above query it is showing job executed by user instead of owner.

And right way to see when you allow user to run report as owner is go to Reports>click on report name. splunk will launch results without search bar.

Thanks to @martin_mueller !

View solution in original post

0 Karma

sgundeti
Path Finder

I managed to find answer to my question via slack channel!
flaw to my approach is user is running saved search from search bar which means splunk will treat it as normal search job by user hence in my above query it is showing job executed by user instead of owner.

And right way to see when you allow user to run report as owner is go to Reports>click on report name. splunk will launch results without search bar.

Thanks to @martin_mueller !

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Try this

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| table title eai:acl.app search eai:acl.owner 
| rename eai:acl.owner as owner 
| where match(search,"SOURCETYPE")
0 Karma

sgundeti
Path Finder

I mean I can see that I am the owner of the object. But how to see when the user running my report is running as owner permissions instead user permissions. Because user is unable to see the report results when running as owner.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Use this to correlate the user with the rest call

| rest splunk_server=local /servicesNS/-/-/saved/searches 
 | table title eai:acl.app search eai:acl.owner 
 | rename eai:acl.owner as owner 
 | where match(search,"SOURCETYPE")
 | appendcols [search index=_audit action=search info=granted search=*
| table user]
0 Karma

sgundeti
Path Finder

besides your query I ran this query to see if user executed job is running as owner or user and It found to be running as user instead of owner.
here A945sg is owner of report and T945sg is user who is running the report.

index=_audit action=search info=granted search=* "T945sg" OR "A945sg"
     NOT "search_id='scheduler" 
     NOT "search='|history" 
     NOT "user=splunk-system-user" 
     NOT "search='typeahead" 
     NOT "search='| metadata type=* | search totalCount>0"
 | fields user, search, _time, search_id
 | eval search_id = trim(replace(search_id, "\'", ""))
 | join search_id [
     | rest /services/search/jobs splunk_server=local
     | search NOT author="splunk-system-user"
     | search author="T945sg" OR author="A945sg"
     | rename custom.search as customSearch, sid AS search_id  
     | eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)  
     | search SearchString!=""
     | eval search_id = trim(replace(search_id, "\'", ""))
 ]
 | table _time,author,eai:acl.owner, user,search,eai:acl.app,isSavedSearch,resultCount,search_id

my primary concern is why user is not seeing results when job is set to run as owner privileges.

NOTE: user is restricted to access to index directly that is used in report.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...