Security

New Role Unable to change permissions on saved reports

rlaan
Path Finder

I am attempting to allow for a more granular access to our indexes, i have been attempting to remove the use of the default admin,power,user roles. (which include all non-internal splunk indexes)

The new idea is to have the capabilities of the default roles added into new roles or capabilities groups, with no ability to view indexes associated to them.
capabilities-user
capabilities-power
capabilities-admin

In addition various view roles have been created with no capabilities, they only include access to view indexes adding groups of indexes in a single role, or allowing for a specific user to access 1 index.
view-base hire
view-base security clearance
view-index 5

The issue i have encountered is when assigning a new role with capabilities-user, which i have created with slighty more restricted capabilities then the normal user role, my new role (capabilities-user) is unable to edit the permissions on the saved searches it creates.

I have seen some sites mention not to edit/modify the base user roles, and i wanted to know if it is safe to remove the view all non-internal indexes from the default roles.

My tests showed that if i inherit the base user role to my newer modular role , ex. capabilities-user would inherit user, this allows the users of new role to once again edit the permissions of their saved searches.

What is unique about the default "user" role and why are the abilities to edit your own report permissions not included in the capabilities-user i have created, is their a way to get this functionality without inheriting the default roles?

0 Karma
1 Solution

rlaan
Path Finder

I have managed to get the newly created capabilities roles functioning as expected. the missing component was going into the search application and granting the new roles write access to the application. I am still in the process of searching for documentation outlining the potential impact of allowing write access to an app.

View solution in original post

rlaan
Path Finder

I have managed to get the newly created capabilities roles functioning as expected. the missing component was going into the search application and granting the new roles write access to the application. I am still in the process of searching for documentation outlining the potential impact of allowing write access to an app.

Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...