Solved: Permissions on dashboards for a custom defined rol...

avlahutin · ‎06-09-2011

I have created a custom role that will serve as the admin role for a given application. For a dashboard object, I have a user that did not create the dashboard trying to 'add panel' to it and getting a permission denied although he is in the same role as the creator and that role has write rights to the object and to the app. The custom role does not inherit privileges from any other role. My id which has the Splunk admin role does have the ability to add the panel.

Is there an additional privilege needed in this case? I didn't see anything in authorize.conf that stuck out to me as needed for this scenario.

Thanks in advance,

Andrew

avlahutin · ‎06-17-2011

I spoke with one of the sales engineers who gave me a work around to this issue.

If you explicitly change the permissions on the dashboard in question in the $SPLUNK_HOME/etc/apps/your-app/metadata/local.meta directory, you can get it to work.

Add the access line to the object and give write access to the custom role.
Change the ownership of the object to the role rather than the user that created the dashboard.

FROM:
[views/sample_dashboard]
owner = user1 version = 4.2.1

TO:
[views/sample_dashboard]
access = read : [ * ], write : [ admin, power, CUSTOM ROLE] owner = CUSTOM ROLE version = 4.2.1

http://www.splunk.com/base/Documentation/latest/Developer/Step5SetPermissions

This works without the need to give admin_all_objects to the role. However, this is a bit of overhead as the admin will still need to get involved whenever new objects are created that need to be shared within the App. Avoiding this necessity was one of the main goals of creating the custom role. I don't think this is the way the functionality was intended to work unless I am missing something.

View solution in original post

avlahutin · ‎06-17-2011

I spoke with one of the sales engineers who gave me a work around to this issue.

If you explicitly change the permissions on the dashboard in question in the $SPLUNK_HOME/etc/apps/your-app/metadata/local.meta directory, you can get it to work.

Add the access line to the object and give write access to the custom role.
Change the ownership of the object to the role rather than the user that created the dashboard.

FROM:
[views/sample_dashboard]
owner = user1 version = 4.2.1

TO:
[views/sample_dashboard]
access = read : [ * ], write : [ admin, power, CUSTOM ROLE] owner = CUSTOM ROLE version = 4.2.1

http://www.splunk.com/base/Documentation/latest/Developer/Step5SetPermissions

This works without the need to give admin_all_objects to the role. However, this is a bit of overhead as the admin will still need to get involved whenever new objects are created that need to be shared within the App. Avoiding this necessity was one of the main goals of creating the custom role. I don't think this is the way the functionality was intended to work unless I am missing something.

ewoo · ‎06-17-2011

Add the access line to the object and give write access to the custom role.

I thought you had already done this via the UI for the view in question. From your original question:

and that role has write rights to the object and to the app

Ant1D · ‎06-15-2011

Even with the 'schedule_search' capability assigned to your custom role, I believe that your custom role will not be able to edit views that were created by another user unless they have the 'admin_all_objects' capability, inherit from the admin role or have the same read/write permissions as the role that created the view. With the 'schedule_search' capability, your custom role will be able to create dashboards and saved searches and edit only those that were created by the custom role

avlahutin · ‎06-13-2011

I do not see any errors in the splunkd.log on that logger.

ewoo · ‎06-13-2011

The user can view but not update the xml file directly. Upon save, there is a similar non-authorized error.

Do you see any errors in splunkd.log on the PropertiesMapConfig logger channel related to this failure to edit?

Ant1D · ‎06-13-2011

Yes it does seem to override other permissions. My Splunk instance has a role that is not admin and does not inherit admin but is able to save searches and create dashboards. Also it is not able to tamper with any dashboards or saved searches create by the admin role. Maybe it will help if you give your custom role the 'schedule_search' capability

avlahutin · ‎06-13-2011

Thanks for responding.

Doesn't admin_all_objects give rights to update/modify objects in All Apps, not just the ones that the role allows? It seems like it overwrites the read/write permissions granted in the 'Manage apps.. -> Permissions' screen.

Ant1D · ‎06-13-2011

Ok I see. As you do not want it to inherit from admin role then check these links:
http://www.splunk.com/base/Documentation/4.2.1/Admin/Addandeditroles
http://www.splunk.com/base/Documentation/4.2.1/Admin/authorizeconf
I believe that you will need to give your custom defined role the 'admin_all_objects' and 'search' capabilities so that they can add/create/modify all objects and run searches.

avlahutin · ‎06-10-2011

The issue is that if it inherits from admin, it gets all admin rights, like user controls and restart of the app etc where I just want them to have add/create/modify of all objects defined in the app.

Ant1D · ‎06-10-2011

Maybe this problem can be resolved if you just let the custom role inherit the privileges of the admin role

avlahutin · ‎06-09-2011

The user can view but not update the xml file directly. Upon save, there is a similar non-authorized error.

ewoo · ‎06-09-2011

Is the non-owner user able to view and edit the dashboard XML directly via Manager > User interface > Views?

Permissions on dashboards for a custom defined role

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation