Capability to assign to user role to view and add ...

apro · ‎06-21-2010

Hi,

What is the capability to assign to a user role so that it is able to access and configure data inputs via "Manager > Data Inputs" ?

"list_inputs" is already in and I've also tried to include "edit_tcp", "edit_udp", "edit_monitor" but the user account is still unable to access data inputs..

Stephen_Sorkin · ‎08-17-2010

These pages are controlled by access control lists on manager objects rather than capabilities on the underlying splunk functionality. We're slowly moving splunkd from a capabilities-based model to an ACL model to better support granular control of various system and user objects.

To make these visible, edit $SPLUNK_HOME/etc/apps/search/metadata/local.meta and add additional roles to the read attributes of the following stanzas:

[manager/datainputstats]
access = read : [ admin ], write : [ admin ]

[manager/data_inputs_monitor]
access = read : [ admin ], write : [ admin ]

[manager/data_inputs_script]
access = read : [ admin ], write : [ admin ]

[manager/data_inputs_tcp_cooked]
access = read : [ admin ], write : [ admin ]

[manager/data_inputs_tcp_raw]
access = read : [ admin ], write : [ admin ]

[manager/data_inputs_udp]
access = read : [ admin ], write : [ admin ]

cmahan · ‎09-10-2015

Is this still valid? I have no [manager/data...... in that file at all. I do see the individual inputs that I would like my restricted user to have access to.. In my case they are website availability check (web_ping) inputs. I want certain users to be able to add or remove these checks. Can't find a particular capability to add to give view of the checks and ability to edit and do not see corresponding entries to what this article suggests 5 years ago...

tpsplunk · ‎08-09-2012

with some help form splunk support this is now working. I had to do two things- one was make the changes to local.meta as explained by Stephen. It did need to go in the 'search' app. The second was to add the line "edit_monitor = enabled" under the appropriate role stanza in my local/authorize.conf file. after a restart of splunk the users in the edited role were able to use the add data app/button.

tpsplunk · ‎08-01-2012

this did not work for me. I did it a little different- i am using searchead pooling and have a 'searchhead' app that is managed by my deployment server so i edited my searchhead/metadata/local.meta file and distrubuted it. once it showed up on my searchhead i restarted it and had the user try again- no luck. the user in question has a power user role so in each of the stanza's above I changed the access line to be: access = read : [ admin, power ], write : [ admin, power]

tpsplunk · ‎08-01-2012

Hi stephen,
is this still a valid answer for splunk 4.3? or have further improvements been made?

I will test them in my local.meta file and report back

apro · ‎06-22-2010

Have tried restarting splunk services but still the same..

nope..no specific error as well...

jrodman · ‎06-21-2010

I don't know.

Have you restarted and/or reloaded auth? Those sound sufficient, but not sure. Do you get a specific error? This might be better as a support inquiry, if you don't get a quick answer here.

Capability to assign to user role to view and add data inputs

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies