How to stop a read-only user from deleting knowledge objects (ie. reports)?


I was surprised to find that a user with read-only permissions can delete a report. Surely my Splunk set up is incorrect?

I have an App representing a collection of related reports, alerts, dashboards, etc.

  1. Authorized users with no special permissions can create and edit their reports in this App (happy days).
  2. A separate user that we call "summariser" has permissions for all apps and is used to create and run summary index populating activities. We do this separately so that we can give the summariser special resource allowances. Up until now, these reports were private, which is an issue as the ordinary users would like to see what is in the SI populating searches so they can suggest changes, etc.

So, I changed the permissions to make the SI populating reports as shared in App and read-only by the App User's role. This does seem to work as it becomes readable, runnable, and yet not saveable. This is exactly what I want but what surprised me is that the read-only user can DELETE the report.

Surely delete should be considered a WRITE operation and not visible, or perhaps some other interaction is allowing this.

Please help me fix this.

Note: This is on Splunk Enterprise 8.0.3 having just upgraded from 7.2.4 3 days ago... perhaps it is a bug?

Labels (1)
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.