Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a user with only ad-hoc searches permission?

syadavsplunk
Observer
‎03-17-2023 02:41 AM

Hi Splunk Experts

I have a set of set of users whom I just want them to allow only run ad-hoc searches. I don't want them to creating dashboard, reports and alerts. 

How it can be achievable ?

Any pointers to document will be helpful. 

Thanks in advance

Santosh 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-18-2023 10:57 AM

To restrict a user from scheduling searches, create a role without schedule_search capabilty.

I can't think of a way to really forbid a user from running an ad-hoc report or dashboard since they are based on as-hoc searches. You could try to remove user's edit_own_objects capability to forbid user from creating own dashboards and reports (for the ones created by others or coming from the apps you could simply revoke permissions for user's role) but I'm not sure what you'll end up with in terms of such role's usefullness.

0 Karma
Reply

syadavsplunk
Observer
‎03-22-2023 09:13 AM

Thank you @PickleRick 

as per document  https://docs.splunk.com/Documentation/Splunk/9.0.4/Security/Rolesandcapabilities  

edit_own_objects capability is already disabled for user role but still user will be able to create private dashboards in $SPLUNK_HOME/etc/users/<userhome> directory.  We clean this directory manually right now. 

We are looking for this role as a "read-only user who can run dashboard created by other power user and run searches". A typical requirement for support team. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-22-2023 10:42 AM

I don't think that's possible. You can try to make it more difficult for the user to create dashbboards. You could just fiddle with permissions and set some custom app as his default one. He could have just a search window and some pre-defined reports. It is most probably bypassable one way or another but still better than nothing. If you want to have a "strictly read-only" user (for example for compliance reasons), I'm not sure it's possible.

0 Karma
Reply

tscroggins
Influencer
‎03-18-2023 09:57 AM

@syadavsplunk 

Hi,

I don't recommend this as a production solution, but for exploration's sake, this may be possible on a self-hosted instance by preventing Splunk from writing private configuration settings to the user's Splunk home directory. For example, to prevent Splunk from writing to savedsearches.conf in the search app:

sudo chown root:root $SPLUNK_HOME/etc/users/<username>/search/local/savedsearches.conf
sudo chmod 0000 $SPLUNK_HOME/etc/users/<username>/search/local/savedsearches.conf

This assumes that Splunk is running as a non-root user and can't otherwise restore permissions without a system administrator's intervention.

When the user attempts to save a report, they'll receive an error message:

In handler 'savedsearch': Data could not be written: /<username>/search/savedsearches/<name>/search: ...

 I do recommend contacting Splunk support or your Splunk account manager for further guidance.

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...