Security

How to stop a read-only user from deleting knowledge objects (ie. reports)?

mikeydee
Explorer

I was surprised to find that a user with read-only permissions can delete a report. Surely my Splunk set up is incorrect?

I have an App representing a collection of related reports, alerts, dashboards, etc.

  1. Authorized users with no special permissions can create and edit their reports in this App (happy days).
  2. A separate user that we call "summariser" has permissions for all apps and is used to create and run summary index populating activities. We do this separately so that we can give the summariser special resource allowances. Up until now, these reports were private, which is an issue as the ordinary users would like to see what is in the SI populating searches so they can suggest changes, etc.

So, I changed the permissions to make the SI populating reports as shared in App and read-only by the App User's role. This does seem to work as it becomes readable, runnable, and yet not saveable. This is exactly what I want but what surprised me is that the read-only user can DELETE the report.

Surely delete should be considered a WRITE operation and not visible, or perhaps some other interaction is allowing this.

Please help me fix this.

Note: This is on Splunk Enterprise 8.0.3 having just upgraded from 7.2.4 3 days ago... perhaps it is a bug?

Labels (1)

tobiasgoevert
Engager

Hello Mikeydee, 

 

i have exactly the same issue/problem in our splunk environment.

Do you have a solution for this yet? 

 

Regards, 

Tobias

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...