Security

How to create a user with only ad-hoc searches permission?

syadavsplunk
Observer

Hi Splunk Experts

I have a set of set of users whom I just want them to allow only run ad-hoc searches. I don't want them to creating dashboard, reports and alerts. 

How it can be achievable ?

Any pointers to document will be helpful. 

Thanks in advance

Santosh 

Labels (1)
Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

To restrict a user from scheduling searches, create a role without schedule_search capabilty.

I can't think of a way to really forbid a user from running an ad-hoc report or dashboard since they are based on as-hoc searches. You could try to remove user's edit_own_objects capability to forbid user from creating own dashboards and reports (for the ones created by others or coming from the apps you could simply revoke permissions for user's role) but I'm not sure what you'll end up with in terms of such role's usefullness.

0 Karma

syadavsplunk
Observer

Thank you @PickleRick 

as per document  https://docs.splunk.com/Documentation/Splunk/9.0.4/Security/Rolesandcapabilities  

edit_own_objects capability is already disabled for user role but still user will be able to create private dashboards in $SPLUNK_HOME/etc/users/<userhome> directory.  We clean this directory manually right now. 

We are looking for this role as a "read-only user who can run dashboard created by other power user and run searches". A typical requirement for support team. 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I don't think that's possible. You can try to make it more difficult for the user to create dashbboards. You could just fiddle with permissions and set some custom app as his default one. He could have just a search window and some pre-defined reports. It is most probably bypassable one way or another but still better than nothing. If you want to have a "strictly read-only" user (for example for compliance reasons), I'm not sure it's possible.

0 Karma

tscroggins
Influencer

@syadavsplunk 

Hi,

I don't recommend this as a production solution, but for exploration's sake, this may be possible on a self-hosted instance by preventing Splunk from writing private configuration settings to the user's Splunk home directory. For example, to prevent Splunk from writing to savedsearches.conf in the search app:

sudo chown root:root $SPLUNK_HOME/etc/users/<username>/search/local/savedsearches.conf
sudo chmod 0000 $SPLUNK_HOME/etc/users/<username>/search/local/savedsearches.conf

This assumes that Splunk is running as a non-root user and can't otherwise restore permissions without a system administrator's intervention.

When the user attempts to save a report, they'll receive an error message:

In handler 'savedsearch': Data could not be written: /<username>/search/savedsearches/<name>/search: ...

 I do recommend contacting Splunk support or your Splunk account manager for further guidance.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...