Security

How to stop a read-only user from deleting knowledge objects (ie. reports)?

mikeydee
Explorer

I was surprised to find that a user with read-only permissions can delete a report. Surely my Splunk set up is incorrect?

I have an App representing a collection of related reports, alerts, dashboards, etc.

  1. Authorized users with no special permissions can create and edit their reports in this App (happy days).
  2. A separate user that we call "summariser" has permissions for all apps and is used to create and run summary index populating activities. We do this separately so that we can give the summariser special resource allowances. Up until now, these reports were private, which is an issue as the ordinary users would like to see what is in the SI populating searches so they can suggest changes, etc.

So, I changed the permissions to make the SI populating reports as shared in App and read-only by the App User's role. This does seem to work as it becomes readable, runnable, and yet not saveable. This is exactly what I want but what surprised me is that the read-only user can DELETE the report.

Surely delete should be considered a WRITE operation and not visible, or perhaps some other interaction is allowing this.

Please help me fix this.

Note: This is on Splunk Enterprise 8.0.3 having just upgraded from 7.2.4 3 days ago... perhaps it is a bug?

Labels (1)
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...