Read-Only role/user

phpguy_80 · ‎07-16-2021

How to make a read-only user/role?

Try to make a new role, but it inherited capabilities from defaults roles. Any suggestions?

gcusello · ‎07-16-2021

Hi @phpguy_80,

it's easy, don't use inheritaton, give to your new user only the requested capabilities without using inheritation.

Ciao.

Giuseppe

phpguy_80 · ‎07-17-2021

Oh okay, thought I had to select an existing role, I didn't realize I could just skip that part 🙂

So now, which capabilities should I select to allow for a read-only role?

gcusello · ‎07-17-2021

Hi @phpguy_80,

in few words, Splunk don't permit to modify indexed data, so you have only to disable (or not enable) capabilities as knowledge objects creation or modify and log delete.

So you could start to enable:

change_own_password
rtsearch (only if user must be enabled to Real Time Searches)
search

I don't know what your Apps contain, so e.g. if you have a dashboard that lists Deployment Clients using a REST command, you have to enable a specific feature as "rest_properties_get".

As I said, remember to enable the correct Indexes.

Ciao.

Giuseppe

venkatasri · ‎07-17-2021

Hi @phpguy_80

under capabilities tab you can select 'search' for read only to selected indexes. 'schedule_search' if you wish allow the user to schedule searches. Created role shall be assigned to user you wish to allow read permissions.

---

An upvote would be appreciated if this reply helps!

gcusello · ‎07-17-2021

Hi @phpguy_80,

when you create a new role, skip the first tab (Inheritance) and go directly the the second one (Capabilities), enabling the ones you need.

Remember to enable Indexes otherwise this role will not see anything!

Ciao.

Giuseppe

Read-Only role/user

other

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!