Security

Cluster Licensing and Monitoring Dashboard Permissions Required to View

shocko
Contributor

 I have Splunk 8.0.5:

  • One cluster master
  • One Search head
  • Two indexers to host clustered indexes

I am logged into the UI of the search head and have the admin role but I cannot do any of the following:

  1. View any of the clustered custom indexes
  2. View the licensing usage in the monitoring console

So on the cluster master we are no t using LDAP for auth but just Splunk accounts and the account i have as the power role. I still cannot see the licensing dashboards.

What level of role/capability to I need (as a minimum) to see this info dash board or is there a read-only type role I could create or use to delegate this capability?

Labels (1)
0 Karma

ivanreis
Builder

Hi @shocko ,  the power use role has a lot of privileges. My suggestion is to create a custom user role with only _internal index enabled and assign to the group of users you need to. Or you can only add _internal index to the default user role, but it will be granted to all users to search _internal index, be carefully if you decide to use this option since we avoid to grant access to _internal index to regular users.

To customise your role, please check this document : https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/Rolesandcapabilities

0 Karma

ivanreis
Builder

Hi @shocko ,

it is not required to setup the Ldap into your cluster environment, you can continue using the current authentication method.

answering your questions:

  1. View any of the clustered custom indexes
    • To have index visibility, you have to login into Cluster master as admin user to see all the default/custom indexes. This is the default configuration for admin user. 
  2. View the licensing usage in the monitoring console
    • The same happen with licensing information, this is a default configuration for admin user.

For both cases, I would recommend to keep those capabilities assigned to admin user, because the admin users should have the required knowledge to handle the configuration/administration tasks.

if you really want to take the risk and have both capabilities assigned to your role, I recommend to create a new role at a sandbox/dev environment with those capabilities enabled and assign this role to your user only for you to run your tests. If it worked as expected, so replicate to the production environment.

For further information about the roles and capabilities assigned by default to each user, check the link below

https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/Rolesandcapabilities

I hope my answer can help you, if so, please accept this answer.

0 Karma

shocko
Contributor

Thanks @ivanreis for taking time to reply. I do agree that its important to keep the cluster admin role assigned to true admins  but that said,  a common request from teams is to allow them to see how much License their apps are consuming as this is dynamic based on event logging etc. 

0 Karma

ivanreis
Builder

Hi @shocko,

Now is more clear about what you want to achieve. My suggestion is :

- create a new power user role and add _internal index to be searchable on this role. Splunk _internal index provide license information. 

- create a dashboard to get the license data from _internal or check this app to see if does fit to your needs https://splunkbase.splunk.com/app/3178/

I hope this help you solve your need.

shocko
Contributor

Thanks for the reply @ivanreis . Power user though seems more privileges than needed though. is there no read role for this?

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...