Security
Highlighted

Allowing one role per app

SplunkTrust
SplunkTrust

Hello,

How can I configure a role to only view a single app without having to review all other app configurations ? I have many apps in a shared environment and im having some issues scaling with my role management.

Anyone has some best practice to be used in this case ?

Regards,
David

Tags (2)
0 Karma
Highlighted

Re: Allowing one role per app

Motivator

hi DavidHourani,

create a special role for this application with the name you want (for example, user1) and user rights.

After you have created this role, you go change the permissions on your application and you only selected the role you had just created (user1).

as soon as you create the user who has the right to view this page, then you give him this role there and everything will be fine.

for more infomations, follow this link:

https://answers.splunk.com/answers/51443/app-permissions-and-roles.html

forgive my english.

0 Karma
Highlighted

Re: Allowing one role per app

SplunkTrust
SplunkTrust

Thank you for your reply. I currently do as you mentioned above but I have about 100 roles and so if i want to manage the roles I have to click on each app and select the roles that have the right to access it. It becomes a waste of time when u have 100 roles x 10 apps.... I Know its a one shot thing, but I would like to know if anyone has a solution for managing roles like that, maybe someone made an interface that allows you to see all app permissions without having to click on each app and then tick the corresponding roles ^^

0 Karma
Highlighted

Re: Allowing one role per app

Motivator

now, i don't know an interface that allows you to see all app permissions without having to click on each app

0 Karma
Highlighted

Re: Allowing one role per app

SplunkTrust
SplunkTrust

If you've access to the Search head's file system, an easy option will be make this change in the file system. The app level access permission is stored in $SPLUNKHOME/etc/apps/APPNAME/metadata/ folder in the default.meta OR local.meta. The default entry would say this

# Application-level permissions    
[]
access = read : [ * ], write : [ admin, power] 

Change this to

# Application-level permissions
[]
access = read : [ YourRoleForApp ], write : [ YourRoleForApp ] 

Remember to restart Splunk instance for changes to take place. Since it's just 10 file update, should be easier/faster.