Security

Change App and Object Ownership

rgcurry
Contributor

One of my Splunk users has left the company. She owned an App and many saved searches, alerts, etc that all have her name on them. How can I change these to have the name of the new owner of this App? I considered just copying the contents of her $SPLUNK_HOME/etc/users/UserID/AppID/* to the new user's directory but he has already started to create 'stuff' and I did not want to overwrite his work. How might I get this done?

Tags (4)
1 Solution

sowings
Splunk Employee
Splunk Employee

If you utilize the Splunk Manager, changing the scope (permissions) of an object like a savedsearch, macro, UI view, etc, will move it around the filesystem for you. Consider changing it to have "application" scope, which will place it in the context of the owning application ($SPLUNK_HOME/etc/apps/<appname>), vs. the user tree, which only contains user-specific objects. Otherwise, copying the contents elsewhere (perhaps creating a new homegrown app?) will work, too.

View solution in original post

rgcurry
Contributor

I think maybe I was not clear on this -- the App ownership was not in itself the issue but the objects in the app (saved searches, alerts, etc). I figured out what I needed to by snooping based on what sowings mentioned in his previous post and confirmed my suspicion in his last post above. I had to edit the $SPLUNK_HOME/etc/apps/{AppsDir}/metadata/local.meta config file that has old owner’s ID and change each occurrence of that to the new ower’s ID. The Search Head needs to be restarted for these changes to take effect.

Thank you sowings for guidance on this.

sowings
Splunk Employee
Splunk Employee

If you utilize the Splunk Manager, changing the scope (permissions) of an object like a savedsearch, macro, UI view, etc, will move it around the filesystem for you. Consider changing it to have "application" scope, which will place it in the context of the owning application ($SPLUNK_HOME/etc/apps/<appname>), vs. the user tree, which only contains user-specific objects. Otherwise, copying the contents elsewhere (perhaps creating a new homegrown app?) will work, too.

sowings
Splunk Employee
Splunk Employee

Ah, sorry, I misunderstood you. The ownership of an object is set in a file called either default.meta (default permissions) or local.meta (overrides). Both of these files live within the metadata/ subdirectory of a given application. The owner is just a field in that file, though I don't know a direct way in the Manager to make these changes. I'd find the local.meta file which contains the objects you want to chown, edit the owner = part, and restart splunk. I just did a simple test, and the new owner is reflected in the Manager.

dvg06
Path Finder

This solution did not work for me, but moving tags.conf and props.conf files from user-apps local directory to newuser-apps local directory worked for me.

0 Karma

jim_george
New Member

Hi sowings.. this solution worked perfectly for me as well. Employee left the company and alerts stopped working after AD synced with splunk. Changed the owner by editing the local.meta file mentioned above and alerts are back in action. Thanks a ton for the tip.

0 Karma

rgcurry
Contributor

It's not the scope I need to change -- the App's objects are already set to App level permission for sharing. In Manager / Apps, this App shows up with this former user's ID as the owner. I have been asked to change that to the current "owner". The alternative to copying to a new area of the file system does not seem to be the answer either as I will have the same files and their content, just now in a different place.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...