Security

Is there a way to hide or disable "Manage Apps" and "Open in Search" on a dashboard from users with a restricted role?

flee
Path Finder

Hi. We have users with a restricted role. When that user logs in, we'd like to hide/disable "Manage Apps" and "Search & Reporting" apps from the App dropdown list. Also, we'd like to hide/disable "Open in Search" option from each panel on a dashboard. Is there a way to hide/disable those? Thanks for your help!

1 Solution

David
Splunk Employee
Splunk Employee

In addition to the controls that somesoni2 mentioned, you can also hide the Manage Apps menu altogether on a dashboard. I tested this out by creating a new css file at $SPLUNK_HOME/etc/apps/mytestapp/appserver/static/hidemanageapps.css (I had to create the appserver/static directory since it didn't exist by default). Then I added the following text into hidemanageapps.css:

.menu-apps {display: none !important;}

In my dashboard, I added a stylesheet="hidemanageapps.css" into the form element and then restarted Splunk. After that, I was able to go to the page and the manage apps dropdown didn't appear. It's important to make sure that users don't have access to this, in addition to hiding the menu, as we don't want security by obscurity. The approach detailed by somesoni2 will meet that need; in my environment, I was also able to prevent users from getting access to anything undesirable by just inheriting the user role, but you can take whatever approach works the best for you (I have no doubt that there are benefits to the more detailed method).

Update: if you just want to hide the last part of the list (i.e., allow users to choose apps, but not see the manage apps part), you can use the following CSS:

.menu-apps ul {display: none;}
.menu-list {display: block !important;}

View solution in original post

jeffland
SplunkTrust
SplunkTrust

For anyone on recent Splunk versions (6.5 at least), David's solution for hiding the app drawer will no longer work as the CSS classes have changed. You can use the following selector to hide the entire app drawer:

div[data-role="left-nav"]

These will select the lower portion (Manage Apps and Find More Apps):

a[data-role="manage-apps"], a[data-role="more-apps"]

You might be interested in the hideAppBar attribute for dashboard and tag elements in Simple XML as well (docs).

0 Karma

jackreeves
Explorer

Hi,

Where do I add the hideAppBar? Can this be added to the xml in an Apps navigation menu?

Thanks

0 Karma

jeffland
SplunkTrust
SplunkTrust

It's not in the navigation menu, it's an attribute of dashboard and form elements in Simple XML dashboards, they look like this:

<dashboard hideAppBar="true">
  <label>...

You can also pass it in the url. Docs here.

0 Karma

jackreeves
Explorer

Thanks the prompt reply.

So I can't app this on an App by App basis only on Dashboard by Dashboard?

Thanks

0 Karma

jeffland
SplunkTrust
SplunkTrust

Not with this method. You can use dashboard.css (a file that is loaded on every dashboard in an app) and use that to hide the items from view however.

0 Karma

hbacbs
Explorer

I tried this with no success. (6.3.3)

and the file hidemanageapps.css
a[data-role="manage-apps"]{display: none;}, a[data-role="more-apps"]{display: block !important;}

"Manage Apps" is still visible and results to 404.

0 Karma

jeffland
SplunkTrust
SplunkTrust

If the file gives you a 404, then either you have not restarted splunk web or the file is in the wrong place. It obviously can't hide the elements that way.
You can check if the selector works in your splunk version (I don't have 6.3 at my hands at the moment) by using the debugging tools of your browser (typically, F12): alt text

0 Karma

David
Splunk Employee
Splunk Employee

In addition to the controls that somesoni2 mentioned, you can also hide the Manage Apps menu altogether on a dashboard. I tested this out by creating a new css file at $SPLUNK_HOME/etc/apps/mytestapp/appserver/static/hidemanageapps.css (I had to create the appserver/static directory since it didn't exist by default). Then I added the following text into hidemanageapps.css:

.menu-apps {display: none !important;}

In my dashboard, I added a stylesheet="hidemanageapps.css" into the form element and then restarted Splunk. After that, I was able to go to the page and the manage apps dropdown didn't appear. It's important to make sure that users don't have access to this, in addition to hiding the menu, as we don't want security by obscurity. The approach detailed by somesoni2 will meet that need; in my environment, I was also able to prevent users from getting access to anything undesirable by just inheriting the user role, but you can take whatever approach works the best for you (I have no doubt that there are benefits to the more detailed method).

Update: if you just want to hide the last part of the list (i.e., allow users to choose apps, but not see the manage apps part), you can use the following CSS:

.menu-apps ul {display: none;}
.menu-list {display: block !important;}

lakromani
Builder

This is an ugly hack. You modify the original Splunk application. This should be done using an app, or even better there should be a built in setting to configure this.

0 Karma

somesoni2
Revered Legend

My suggestion would go like this

1) Create a read-only user role with following capabilities
change_own_password
get_metadata
rest_properties_get
scheduled_rtsearch
search

Assign this role to all your restricted users
This will ensure "Manage Apps" link is disabled (users will receive access denied error.
2) Ensure all apps/knowledge object should have only read permissions to this role.
3) For each custom dashboard panel (chart/table) where users are seeing "Open in search", set attribute "link.openSearch.visible" to false (default it true). See below link for more details.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/PanelreferenceforSimplifiedXML

sidekix24
Path Finder

somesoni2,

This is basically an all or nothing setting, correct? Where you have to make the adjustment in XML in the dashboard/chart to hide this option. You can set it up where the "open in search" is available for some users and disabled for others?

Thanks

0 Karma

somesoni2
Revered Legend

The disable "open in search" using "link.openSearch.visible" to false, is applicable for all users, regardless of roles. (so is the css option).

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...