What is the capability to assign to a user role so that it is able to access and configure data inputs via "Manager > Data Inputs" ?
"list_inputs" is already in and I've also tried to include "edit_tcp", "edit_udp", "edit_monitor" but the user account is still unable to access data inputs..
These pages are controlled by access control lists on manager objects rather than capabilities on the underlying splunk functionality. We're slowly moving splunkd from a capabilities-based model to an ACL model to better support granular control of various system and user objects.
To make these visible, edit
$SPLUNK_HOME/etc/apps/search/metadata/local.meta and add additional roles to the
read attributes of the following stanzas:
[manager/datainputstats] access = read : [ admin ], write : [ admin ] [manager/data_inputs_monitor] access = read : [ admin ], write : [ admin ] [manager/data_inputs_script] access = read : [ admin ], write : [ admin ] [manager/data_inputs_tcp_cooked] access = read : [ admin ], write : [ admin ] [manager/data_inputs_tcp_raw] access = read : [ admin ], write : [ admin ] [manager/data_inputs_udp] access = read : [ admin ], write : [ admin ]
Is this still valid? I have no [manager/data...... in that file at all. I do see the individual inputs that I would like my restricted user to have access to.. In my case they are website availability check (web_ping) inputs. I want certain users to be able to add or remove these checks. Can't find a particular capability to add to give view of the checks and ability to edit and do not see corresponding entries to what this article suggests 5 years ago...
with some help form splunk support this is now working. I had to do two things- one was make the changes to local.meta as explained by Stephen. It did need to go in the 'search' app. The second was to add the line "edit_monitor = enabled" under the appropriate role stanza in my local/authorize.conf file. after a restart of splunk the users in the edited role were able to use the add data app/button.
this did not work for me. I did it a little different- i am using searchead pooling and have a 'searchhead' app that is managed by my deployment server so i edited my searchhead/metadata/local.meta file and distrubuted it. once it showed up on my searchhead i restarted it and had the user try again- no luck. the user in question has a power user role so in each of the stanza's above I changed the access line to be: access = read : [ admin, power ], write : [ admin, power]
I don't know.
Have you restarted and/or reloaded auth? Those sound sufficient, but not sure. Do you get a specific error? This might be better as a support inquiry, if you don't get a quick answer here.