How to stop a read-only user from deleting knowledge objects (ie. reports)?


I was surprised to find that a user with read-only permissions can delete a report. Surely my Splunk set up is incorrect?

I have an App representing a collection of related reports, alerts, dashboards, etc.

  1. Authorized users with no special permissions can create and edit their reports in this App (happy days).
  2. A separate user that we call "summariser" has permissions for all apps and is used to create and run summary index populating activities. We do this separately so that we can give the summariser special resource allowances. Up until now, these reports were private, which is an issue as the ordinary users would like to see what is in the SI populating searches so they can suggest changes, etc.

So, I changed the permissions to make the SI populating reports as shared in App and read-only by the App User's role. This does seem to work as it becomes readable, runnable, and yet not saveable. This is exactly what I want but what surprised me is that the read-only user can DELETE the report.

Surely delete should be considered a WRITE operation and not visible, or perhaps some other interaction is allowing this.

Please help me fix this.

Note: This is on Splunk Enterprise 8.0.3 having just upgraded from 7.2.4 3 days ago... perhaps it is a bug?

Labels (1)
0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...