Security

Admins can't see private searches/reports/alerts

alekksi
Communicator

Hi all,

As an admin user, I am unable to see private dashboards and searches saved by some users. I know that a number of these exist, including some from users who have now left the company. What is the easiest way of cleaning up these objects?

I can confirm that the admin role has the 'admin_all_objects' capability.

Thanks in advance,
Alex

0 Karma
1 Solution

chimell
Motivator

Hi alekksi

Verify if in your splunk instance Admin Role has all the following selected capabilities

accelerate_datamodel
admin_all_objects
change_authentication
edit_deployment_client
edit_deployment_server
edit_dist_peer
edit_forwarders
edit_httpauths
edit_input_defaults
edit_monitor
edit_roles
edit_scripted
edit_search_head_clustering
edit_search_scheduler
edit_search_server
edit_server
edit_splunktcp
edit_splunktcp_ssl
edit_tcp
edit_token_http
edit_udp
edit_user
edit_view_html
edit_web_settings
edit_win_admon
edit_win_eventlogs
edit_win_perfmon
edit_win_regmon
edit_win_wmiconf
get_diag
indexes_edit
license_edit
license_tab
list_deployment_client
list_deployment_server
list_forwarders
list_httpauths
list_pdfserver
list_search_head_clustering
list_search_scheduler
list_win_localavailablelogs
rest_apps_management
restart_splunkd
run_debug_commands
web_debug

Verify also imported capabilities

accelerate_search
change_own_password
edit_sourcetypes
embed_report
get_metadata
get_typeahead
input_file
list_inputs
output_file
pattern_detect
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
rtsearch
schedule_rtsearch
schedule_search
search

View solution in original post

hredd
New Member

I dont follow. Going to Settings -> All Configurations just brings you to 20+ pages of indecipherable object names. The answer for this question does not address what someone using Splunk Web would do in order to change the permissions required to see alerts that a user has made and never shared globally.

0 Karma

renjith_nair
Legend

Check under Settings -> All Configurations . You should be able to see all dashboards under config type view and similarly other objects as well. You might need to edit permissions there to share from private to Global to list them under dashboards

---
What goes around comes around. If it helps, hit it with Karma 🙂

norbertkiammacl
Explorer

Worked like a charm!

0 Karma

jplumsdaine22
Influencer

I don't think you can actually view the dashboard - you can only see the object in the manager list, and edit its permissions. You will have to manually set permissions to allow the admins role to "read" the view/search etc.

alekksi
Communicator

Yep -- you're right for this one. Thanks

0 Karma

chimell
Motivator

Hi alekksi

Verify if in your splunk instance Admin Role has all the following selected capabilities

accelerate_datamodel
admin_all_objects
change_authentication
edit_deployment_client
edit_deployment_server
edit_dist_peer
edit_forwarders
edit_httpauths
edit_input_defaults
edit_monitor
edit_roles
edit_scripted
edit_search_head_clustering
edit_search_scheduler
edit_search_server
edit_server
edit_splunktcp
edit_splunktcp_ssl
edit_tcp
edit_token_http
edit_udp
edit_user
edit_view_html
edit_web_settings
edit_win_admon
edit_win_eventlogs
edit_win_perfmon
edit_win_regmon
edit_win_wmiconf
get_diag
indexes_edit
license_edit
license_tab
list_deployment_client
list_deployment_server
list_forwarders
list_httpauths
list_pdfserver
list_search_head_clustering
list_search_scheduler
list_win_localavailablelogs
rest_apps_management
restart_splunkd
run_debug_commands
web_debug

Verify also imported capabilities

accelerate_search
change_own_password
edit_sourcetypes
embed_report
get_metadata
get_typeahead
input_file
list_inputs
output_file
pattern_detect
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
rtsearch
schedule_rtsearch
schedule_search
search

alekksi
Communicator

I can verify that, of the top list, the following are missing:
edit_search_scheduler (doesn't exist in 6.2.3, the current version we're on -- should be moving to 6.3.x in a month or so)
edit_token_http
edit_win_admon
edit_win_eventlogs
edit_win_perfmon
edit_win_regmon
edit_win_wmiconf
list_pdfserver
list_search_scheduler
list_win_localavailablelogs
web_debug (doesn't exist in 6.2.3)

Of the bottom list, I'm not sure exactly how to get most of these are turned on -- only schedule_rtsearch is appearing -- but I'm sure that a number of these are turned on for admin users.

0 Karma

chimell
Motivator

my Splunk instance is version 6.3.2 then it is possible that we have difference.Just add the capabilities which are absent to complete the list and re test

0 Karma

alekksi
Communicator

Seems to work fine. Thanks a lot mate 🙂

0 Karma

chimell
Motivator

you are welcome

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...