Security

How users without read permission on Search App can change their password?

Path Finder

I disabled for a particular role the read permission on search app. The problem is users with that role can't change their password; in Edit Account you can see nothing.

How can I disable the search app and continue to allow users with that role to change their settings?

0 Karma
1 Solution

Contributor

Hi,
The UIs for user password changes by default are stored within the "search" app. So when you remove the read access to this app there is no way to render the ui for that user. Try copying the xml from the default search app.... usually:
$SPLUNK_HOME/search/default/data/ui/manager/authentication_change_user_password.xml to the default app set for the specific user role. Use the same path ... create "manager" dir if necessary.

Also assuming that your user role has the change_own_password capability set... as it seems like it was working before. Hopefully this should fix the issue for you.

View solution in original post

Contributor

Hi,
The UIs for user password changes by default are stored within the "search" app. So when you remove the read access to this app there is no way to render the ui for that user. Try copying the xml from the default search app.... usually:
$SPLUNK_HOME/search/default/data/ui/manager/authentication_change_user_password.xml to the default app set for the specific user role. Use the same path ... create "manager" dir if necessary.

Also assuming that your user role has the change_own_password capability set... as it seems like it was working before. Hopefully this should fix the issue for you.

View solution in original post

Path Finder

It doesn't work. It seems Splunk uses only the page located under the search app, it doesn't search for "alternatives".

0 Karma

Contributor

I just did a quick test and it did work on my side. Notice that when you set a default app for the role the url automatically changes for that app. Eg:
http://ursplunk/en-US/manager/**search**/authentication/changepassword/admin?action=edit
vs
http://ursplunk/en-US/manager/**launcher**/authentication/changepassword/test?action=edit

This is what I did if it can help:

  1. Created a new role "testr"
  2. Made this role has no read access to any apps except the "launcher"
  3. Gave this role the exact same capabilities of the "user" role (did not inherit the role but explicitly selected the capabilities)
  4. copied the xml file
    cd $SPLUNK_HOME/etc/apps/launcher/default/data/ui/
    mkdir manager
    cd manager
    cp -v $SPLUNK_HOME/etc/apps/search/default/data/ui/manager/authentication_change_user_password.xml .

  5. Added a user "test" and assigned the role "testr"

  6. Made sure "launcher" was set as his default app.

  7. restarted splunk $SPLUNK_HOME/bin/splunk restart

  8. Logged in as test user and tried the "edit account" was successfully presented the option to change.

Path Finder

You're right, I missed to change the default app. And since I'm on Linux I could create a soft link to authentication_change_user_password.xml.
Alternatively I could also add the link to all the apps the role can use and see, as well as the launcher one.
I think that if I'll have time I'll create a custom "Edit Account" page using Python SDK, since the app is a django app and we added custom user preferences.

0 Karma

New Member

Thank you! Ran into this problem today while trying to restrict permissions for users to only have access to my app, but also have the ability to change their password. This worked great!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!