Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

where can I see if my saved search/report is running as "owner" for another user who do not have access to index.

sgundeti
Path Finder
‎02-19-2018 06:23 AM

hi,

I am trying to restrict a user with role no access to any indexes and trying to share a report at app level( with read access to app) to make user see results by running it as owner. but it doest show any results for user when the user clicks on run from searchs,reports and alerts settings.

I believe its barely simple and straight forward , can someone point out if I miss anything here?

I can share my setting if someone wants to look at more deeply. I am on 6.5.2.

Thanks in advance.

Update 1: more info

I managed to see the job properties using | rest /services/search/jobs and co-relate with search index=_audit action=search info=granted search=*. It seems job is running as user instead as owner.
I could see both owner and user fields have user values for the job.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sgundeti
Path Finder
‎02-20-2018 04:07 AM

I managed to find answer to my question via slack channel!
flaw to my approach is user is running saved search from search bar which means splunk will treat it as normal search job by user hence in my above query it is showing job executed by user instead of owner.

And right way to see when you allow user to run report as owner is go to Reports>click on report name. splunk will launch results without search bar.

Thanks to @martin_mueller !

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sgundeti
Path Finder
‎02-20-2018 04:07 AM

I managed to find answer to my question via slack channel!
flaw to my approach is user is running saved search from search bar which means splunk will treat it as normal search job by user hence in my above query it is showing job executed by user instead of owner.

And right way to see when you allow user to run report as owner is go to Reports>click on report name. splunk will launch results without search bar.

Thanks to @martin_mueller !

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎02-19-2018 06:45 AM

Try this 

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| table title eai:acl.app search eai:acl.owner 
| rename eai:acl.owner as owner 
| where match(search,"SOURCETYPE")
0 Karma
Reply
Solved! Jump to solution

sgundeti
Path Finder
‎02-19-2018 07:01 AM

I mean I can see that I am the owner of the object. But how to see when the user running my report is running as owner permissions instead user permissions. Because user is unable to see the report results when running as owner.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎02-19-2018 09:55 AM

Use this to correlate the user with the rest call

| rest splunk_server=local /servicesNS/-/-/saved/searches 
 | table title eai:acl.app search eai:acl.owner 
 | rename eai:acl.owner as owner 
 | where match(search,"SOURCETYPE")
 | appendcols [search index=_audit action=search info=granted search=*
| table user]
0 Karma
Reply
Solved! Jump to solution

sgundeti
Path Finder
‎02-20-2018 12:56 AM

besides your query I ran this query to see if user executed job is running as owner or user and It found to be running as user instead of owner.
here A945sg is owner of report and T945sg is user who is running the report. 

index=_audit action=search info=granted search=* "T945sg" OR "A945sg"
     NOT "search_id='scheduler" 
     NOT "search='|history" 
     NOT "user=splunk-system-user" 
     NOT "search='typeahead" 
     NOT "search='| metadata type=* | search totalCount>0"
 | fields user, search, _time, search_id
 | eval search_id = trim(replace(search_id, "\'", ""))
 | join search_id [
     | rest /services/search/jobs splunk_server=local
     | search NOT author="splunk-system-user"
     | search author="T945sg" OR author="A945sg"
     | rename custom.search as customSearch, sid AS search_id  
     | eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)  
     | search SearchString!=""
     | eval search_id = trim(replace(search_id, "\'", ""))
 ]
 | table _time,author,eai:acl.owner, user,search,eai:acl.app,isSavedSearch,resultCount,search_id

my primary concern is why user is not seeing results when job is set to run as owner privileges.

NOTE: user is restricted to access to index directly that is used in report.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...