I am trying to restrict permissions to role/user.
I have created a new role not inherited from any default roles. Created an app to share to the new role and app requires kvstore lookup (permission granted to role in search app for this kvstore lookup) to populate inputs in dashboards, but the kvstore lookup is created in search app where role doesn't have access to.
I tried moving collection and transforms to newly created app still dashboard is not working.
Please share your ideas how to acheive this.
Thanks in advance.
You need to set the permissions of the collections from search head in
Lookup sections. Set the permissions of the collection to be accessible by the new role.
Alteranatively , object permissions are set in
metadata folder of the app. So you might need to copy the section which defines the permissions of the KV store collections and put them into new app.
Sample entry in .meta file will be similar to
[transforms/my_collection] access = read : [ * ], write : [ * ] export = system owner = admin version = 7.1.1
Alright! So lets try to make it work.
So far,you have an app to segregate user permissions and a new role is created and assigned to this app. All the dashboards are moved to this app and users are able to access the dashboards.
If you want your users to use your lookups which is created in kvstore, you need to have this definition in transforms.conf and collections.conf under this app. In addition to this , we need to give them permissions to use this collections which is either given by using splunk web and look for this collections and set the permissions or use the metadata file. Easiest way to troubleshoot is to simulate this by creating a new user and add the new role. Lets know the error you are getting while accessing the dashboard/lookup
Yes, Created a role and assigned few users an created a test user and added test user to this role to test access.
after that created an app and given access to newly created role to access app. I am able to see app and dashboards but the only problem is with lookups.
I have shared collections and transforms lookup which are in search app context in all configurations to newly created role and set "object should appear in" to all apps(global).
as you suggested, I have copied metadata of collections and transforms lookup to newly created app which is shared to newly created role. still no luck.
I have tested this with test user.
I found a strange issue with kvstore lookup while testing your issue. Just to confirm, can you check if the default folder of search app, i.e. etc/apps/search/default has your collections.conf file? If its ot present, can you copy your collections.conf to that as well and try.
Its in local folder of search application.
I don't think, we can create duplicate object in Splunk, though there is an option to create using file system, there could be some issues. Transform defintion doesn't know where to read and write from/to wrt.
As mentioned earlier, try copying/moving it to the
default folder and try. You are not creating any duplicate objects but just the configuration. Splunk has an internal mechanism for file precedence. So even though you have duplicate configuration files splunk know how to handle it. Reference : http://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Wheretofindtheconfigurationfiles
Lets know if it works.
Moved it to
tried accessing by user "test" part of newly created role, still not working.