Security

Permissions on dashboards for a custom defined role

avlahutin
Explorer

I have created a custom role that will serve as the admin role for a given application. For a dashboard object, I have a user that did not create the dashboard trying to 'add panel' to it and getting a permission denied although he is in the same role as the creator and that role has write rights to the object and to the app. The custom role does not inherit privileges from any other role. My id which has the Splunk admin role does have the ability to add the panel.

Is there an additional privilege needed in this case? I didn't see anything in authorize.conf that stuck out to me as needed for this scenario.

Thanks in advance,

Andrew

Tags (2)
0 Karma
1 Solution

avlahutin
Explorer

I spoke with one of the sales engineers who gave me a work around to this issue.

If you explicitly change the permissions on the dashboard in question in the $SPLUNK_HOME/etc/apps/your-app/metadata/local.meta directory, you can get it to work.

  1. Add the access line to the object and give write access to the custom role.
  2. Change the ownership of the object to the role rather than the user that created the dashboard.

FROM:
[views/sample_dashboard]
owner = user1 version = 4.2.1

TO:
[views/sample_dashboard]
access = read : [ * ], write : [ admin, power, CUSTOM ROLE] owner = CUSTOM ROLE version = 4.2.1

http://www.splunk.com/base/Documentation/latest/Developer/Step5SetPermissions

This works without the need to give admin_all_objects to the role. However, this is a bit of overhead as the admin will still need to get involved whenever new objects are created that need to be shared within the App. Avoiding this necessity was one of the main goals of creating the custom role. I don't think this is the way the functionality was intended to work unless I am missing something.

View solution in original post

0 Karma

avlahutin
Explorer

I spoke with one of the sales engineers who gave me a work around to this issue.

If you explicitly change the permissions on the dashboard in question in the $SPLUNK_HOME/etc/apps/your-app/metadata/local.meta directory, you can get it to work.

  1. Add the access line to the object and give write access to the custom role.
  2. Change the ownership of the object to the role rather than the user that created the dashboard.

FROM:
[views/sample_dashboard]
owner = user1 version = 4.2.1

TO:
[views/sample_dashboard]
access = read : [ * ], write : [ admin, power, CUSTOM ROLE] owner = CUSTOM ROLE version = 4.2.1

http://www.splunk.com/base/Documentation/latest/Developer/Step5SetPermissions

This works without the need to give admin_all_objects to the role. However, this is a bit of overhead as the admin will still need to get involved whenever new objects are created that need to be shared within the App. Avoiding this necessity was one of the main goals of creating the custom role. I don't think this is the way the functionality was intended to work unless I am missing something.

0 Karma

ewoo
Splunk Employee
Splunk Employee

Add the access line to the object and give write access to the custom role.

I thought you had already done this via the UI for the view in question. From your original question:

and that role has write rights to the object and to the app

0 Karma

Ant1D
Motivator

Even with the 'schedule_search' capability assigned to your custom role, I believe that your custom role will not be able to edit views that were created by another user unless they have the 'admin_all_objects' capability, inherit from the admin role or have the same read/write permissions as the role that created the view. With the 'schedule_search' capability, your custom role will be able to create dashboards and saved searches and edit only those that were created by the custom role

0 Karma

avlahutin
Explorer

I do not see any errors in the splunkd.log on that logger.

0 Karma

ewoo
Splunk Employee
Splunk Employee

The user can view but not update the xml file directly. Upon save, there is a similar non-authorized error.

Do you see any errors in splunkd.log on the PropertiesMapConfig logger channel related to this failure to edit?

0 Karma

Ant1D
Motivator

Yes it does seem to override other permissions. My Splunk instance has a role that is not admin and does not inherit admin but is able to save searches and create dashboards. Also it is not able to tamper with any dashboards or saved searches create by the admin role. Maybe it will help if you give your custom role the 'schedule_search' capability

0 Karma

avlahutin
Explorer

Thanks for responding.

Doesn't admin_all_objects give rights to update/modify objects in All Apps, not just the ones that the role allows? It seems like it overwrites the read/write permissions granted in the 'Manage apps.. -> Permissions' screen.

0 Karma

Ant1D
Motivator

Ok I see. As you do not want it to inherit from admin role then check these links:
http://www.splunk.com/base/Documentation/4.2.1/Admin/Addandeditroles
http://www.splunk.com/base/Documentation/4.2.1/Admin/authorizeconf
I believe that you will need to give your custom defined role the 'admin_all_objects' and 'search' capabilities so that they can add/create/modify all objects and run searches.

0 Karma

avlahutin
Explorer

The issue is that if it inherits from admin, it gets all admin rights, like user controls and restart of the app etc where I just want them to have add/create/modify of all objects defined in the app.

0 Karma

Ant1D
Motivator

Maybe this problem can be resolved if you just let the custom role inherit the privileges of the admin role

0 Karma

avlahutin
Explorer

The user can view but not update the xml file directly. Upon save, there is a similar non-authorized error.

0 Karma

ewoo
Splunk Employee
Splunk Employee

Is the non-owner user able to view and edit the dashboard XML directly via Manager > User interface > Views?

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...