Reporting

where can I see if my saved search/report is running as "owner" for another user who do not have access to index.

sgundeti
Path Finder

hi,

I am trying to restrict a user with role no access to any indexes and trying to share a report at app level( with read access to app) to make user see results by running it as owner. but it doest show any results for user when the user clicks on run from searchs,reports and alerts settings.

I believe its barely simple and straight forward , can someone point out if I miss anything here?

I can share my setting if someone wants to look at more deeply. I am on 6.5.2.

Thanks in advance.

Update 1: more info

I managed to see the job properties using | rest /services/search/jobs and co-relate with search index=_audit action=search info=granted search=*. It seems job is running as user instead as owner.
I could see both owner and user fields have user values for the job.

0 Karma
1 Solution

sgundeti
Path Finder

I managed to find answer to my question via slack channel!
flaw to my approach is user is running saved search from search bar which means splunk will treat it as normal search job by user hence in my above query it is showing job executed by user instead of owner.

And right way to see when you allow user to run report as owner is go to Reports>click on report name. splunk will launch results without search bar.

Thanks to @martin_mueller !

View solution in original post

0 Karma

sgundeti
Path Finder

I managed to find answer to my question via slack channel!
flaw to my approach is user is running saved search from search bar which means splunk will treat it as normal search job by user hence in my above query it is showing job executed by user instead of owner.

And right way to see when you allow user to run report as owner is go to Reports>click on report name. splunk will launch results without search bar.

Thanks to @martin_mueller !

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Try this

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| table title eai:acl.app search eai:acl.owner 
| rename eai:acl.owner as owner 
| where match(search,"SOURCETYPE")
0 Karma

sgundeti
Path Finder

I mean I can see that I am the owner of the object. But how to see when the user running my report is running as owner permissions instead user permissions. Because user is unable to see the report results when running as owner.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Use this to correlate the user with the rest call

| rest splunk_server=local /servicesNS/-/-/saved/searches 
 | table title eai:acl.app search eai:acl.owner 
 | rename eai:acl.owner as owner 
 | where match(search,"SOURCETYPE")
 | appendcols [search index=_audit action=search info=granted search=*
| table user]
0 Karma

sgundeti
Path Finder

besides your query I ran this query to see if user executed job is running as owner or user and It found to be running as user instead of owner.
here A945sg is owner of report and T945sg is user who is running the report.

index=_audit action=search info=granted search=* "T945sg" OR "A945sg"
     NOT "search_id='scheduler" 
     NOT "search='|history" 
     NOT "user=splunk-system-user" 
     NOT "search='typeahead" 
     NOT "search='| metadata type=* | search totalCount>0"
 | fields user, search, _time, search_id
 | eval search_id = trim(replace(search_id, "\'", ""))
 | join search_id [
     | rest /services/search/jobs splunk_server=local
     | search NOT author="splunk-system-user"
     | search author="T945sg" OR author="A945sg"
     | rename custom.search as customSearch, sid AS search_id  
     | eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)  
     | search SearchString!=""
     | eval search_id = trim(replace(search_id, "\'", ""))
 ]
 | table _time,author,eai:acl.owner, user,search,eai:acl.app,isSavedSearch,resultCount,search_id

my primary concern is why user is not seeing results when job is set to run as owner privileges.

NOTE: user is restricted to access to index directly that is used in report.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...