Security

Need Restricted Access(Read Only) to splunk user

Path Finder

I need to create a role which would grant access only to search bar and logout button. I don’t want a user with this role to look any other dropdowns like Settings, Messages, Activity or Help.

Under search App, I would like to make only Search Icon to be appeared, no any other icons like Pivot, Reports, Alerts or Dashboards.

I am also restricting this user to access only single index, I am trying to use below capabilities only:

[role_readaccess]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
get_metadata = enabled
list_inputs = enabled
search = enabled
srchIndexesAllowed = tcp_syslog
srchIndexesDefault = tcp_syslog
srchMaxTime = 0

I have checked the feasibility by using local.meta but couldn't get it. Can anyone please help me on above requirement?

I have also tried to change the permissions of Pivot from User Interface->Views->Pivot for read\write to only admin, no any read\write to everyone, in order to not the Pivot accessible to other users but it didn’t help.

1 Solution

Path Finder

You can create a stanza in a .meta file to e.g. restrict access to Manager to only be allowed by admin. In ~/etc/apps/search/metadata/default.meta you find a stanza named manager;

[manager]
access = read : [ * ], write : [ admin ]
export = system

Copy this to ~/etc/apps/search/metadata/local.meta and change read : [ * ] to read : [ admin ] like this;

[manager]
access = read : [ admin ], write : [ admin ]
export = system

NB: You will then also kill a user's ability to e.g. change password etc.

Without having this tested, I would guestimate the same approach would work for other elements in the GUI.

View solution in original post

Path Finder

To achieve the next requirement of having selected links on Search App, we can further edit same file like mentioned below:
$SPLUNK_HOME/etc/apps/search/metadata/local.meta

If we don't need Alerts and Pivots to be shown to another user than Admin then we can add below stanzas:

[views/alerts]
access = read : [ admin ], write : [ admin, power ]
export = system

[views/data_models]
access = read : [ admin ], write : [ admin, power ]
export = system

0 Karma

Path Finder

You can create a stanza in a .meta file to e.g. restrict access to Manager to only be allowed by admin. In ~/etc/apps/search/metadata/default.meta you find a stanza named manager;

[manager]
access = read : [ * ], write : [ admin ]
export = system

Copy this to ~/etc/apps/search/metadata/local.meta and change read : [ * ] to read : [ admin ] like this;

[manager]
access = read : [ admin ], write : [ admin ]
export = system

NB: You will then also kill a user's ability to e.g. change password etc.

Without having this tested, I would guestimate the same approach would work for other elements in the GUI.

View solution in original post

Path Finder

Hello. I am very sorry, but I now see there is a typo in my answer. I told you to copy the [manager] stanza from ~/etc/apps/search/metadata/local.meta. The correct answer is that you will find this stanza in ~/etc/apps/search/metadata/default.meta. I edited my answer to fix this.

Hope this clear things up 🙂

0 Karma

Path Finder

Regarding requirement on Search Application, I have found a way to remove unwanted icons by changing the XML at:
E:\Program Files\Splunk\etc\apps\search\default\data\ui\nav\default.xml
The new contents would be like:

By doing this I am able to get the required thing done, but this would become applicable to all users. I need to do the same for only a single user or role.

Regards,
Disha

0 Karma

Path Finder

Hi Dolxor,

Thabks for your response. I have checked the local.meta file on location $SPLUNK_HOME\etc\apps\search\metadata\local.meta but there was no predefined tag of [manager], so I created a new tag for it and write it in same suggeted way, and checked after restarting splunk services, it is now not showing anything while clicking Settings dropdown by anyother user, but it didn't serve my purpose as I am still unable to remove these items from Navigation Menu.

NB: I am using Splunk 6.0 version.

Regards,
Disha

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!