- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Is there a capability that will allow me to only l...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a capability that will allow me to only list user accounts via the REST Endpoint and not modify or delete them?
Looking to audit user accounts on a number of Splunk systems, but I don't want to have to have admin level permissions to do this. Looking for a capability that is built in that I can use to create a role that will then allow me to list user accounts without having the ability to modify or delete them. Has anyone done this before? I know there is a capability called "edit_user" but I was hoping for one called "list_user".
http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Rolesandcapabilities
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Look at capability capability::rest_properties_get and capability::rest_properties_set. I guess if you create a capability same as "user" role minus the capability::rest_properties_set, it should allow only read access to REST API Endpoints. (haven't tried).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As somesoni said already,
I would also point you at capabilities like
rest_....
or
list_....
Additionally I can provide you with a search that will help you list the current users and their capabilities:
| rest /services/authentication/users splunk_server=* | dedup title | fields title roles | rename title AS User roles AS Role
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already have a search that will do this. Unfortunately the answer he had won't work. Those capabilities are for a different REST endpoint.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why wouldn't it work? You can specify different rest endpoints using the splunk_server=....
The other endpoint just needs to be in the distributed search config.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to: http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Rolesandcapabilities
The capabilities rest_properties_set and rest_properties_get are used for the services/properties endpoint.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately that wouldn't work. Those capabilities are for the /services/properties. I'm looking to hit the /services/authentication/ endpoint.
Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts
Video | Tom’s Smartness Journey Continues
3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?
