Security

Role capabilities

Influencer

All,

Is it possible to give certain roles the ability to control users. I do not want to give this role admin rights, but I want them to add users.

I have tried the capabilities of "edit_user" and "edit_roles" but it doesn't appear to do much really, is there something I am missing...

Cheers,

MHibbin

1 Solution

Splunk Employee
Splunk Employee

So there's two steps to making this work. First you need to add a local.meta file (or update the one you already have, if that's the case). Then you need to give the edit_user capability to the role that you want to enable to add users.

To start, go into $SPLUNK_HOME/etc/apps//metadata/ and add a new file called local.meta (if one doesn't already exist). In this file add this stanza:

[manager/accesscontrols]
access = read : [ admin ], write : [ admin ]

Now, that stanza is what you already have in default.meta; it controls the ability of a role to see the "Access controls" pages in Manager. To enable another role to get to those pages, add it to the "read" side of the equation. For example:

[manager/accesscontrols]
access = read : [ admin, power ], write : [ admin ]

If you want all roles to be able to access the Access controls pages, do this:

[manager/accesscontrols]
access = read : [ * ], write : [ admin ]

After you do this & save your changes, restart Splunk. Remember to make your changes in local.meta, not default.meta.

Next, as an admin, go into Manager > Access controls > Roles and give the role in question (power, user, whatever) the edit_user capability. This enables the role to actually add users. After you save your changes, a person with that role should be able to go to the Users page in Manager and add more users. (Note that that person will be unable to change role definitions unless their role is granted the edit_roles capability as well.)

View solution in original post

Splunk Employee
Splunk Employee

So there's two steps to making this work. First you need to add a local.meta file (or update the one you already have, if that's the case). Then you need to give the edit_user capability to the role that you want to enable to add users.

To start, go into $SPLUNK_HOME/etc/apps//metadata/ and add a new file called local.meta (if one doesn't already exist). In this file add this stanza:

[manager/accesscontrols]
access = read : [ admin ], write : [ admin ]

Now, that stanza is what you already have in default.meta; it controls the ability of a role to see the "Access controls" pages in Manager. To enable another role to get to those pages, add it to the "read" side of the equation. For example:

[manager/accesscontrols]
access = read : [ admin, power ], write : [ admin ]

If you want all roles to be able to access the Access controls pages, do this:

[manager/accesscontrols]
access = read : [ * ], write : [ admin ]

After you do this & save your changes, restart Splunk. Remember to make your changes in local.meta, not default.meta.

Next, as an admin, go into Manager > Access controls > Roles and give the role in question (power, user, whatever) the edit_user capability. This enables the role to actually add users. After you save your changes, a person with that role should be able to go to the Users page in Manager and add more users. (Note that that person will be unable to change role definitions unless their role is granted the edit_roles capability as well.)

View solution in original post

Explorer

I created a new role as admin 'act_admin'. I added the stanza to $SPLUNK_HOME/etc/apps/search/metadata/local.meta

[manager/accesscontrols] access = read : [ admin, act_admin ], write : [ admin ]

I restarted the service, then added 'edit_user' to the act_admin role which also includes the 'user' role. As a user in act_admin I can now see the users but the 'default app inherited from' coloumn shows '[PROCESSING ERROR]'. The user role and the act_admin role both have 'search' as the default app. Is there something else to check/modify to correct the 'PROCESSING ERROR'?

0 Karma

Splunk Employee
Splunk Employee

Can you provide a little more detail about what's not working?

The local.meta change should cause the subentry to appear in the top level manager page. The role change should cause the action of creating a user (using rest API, command line, or manager) to work.

It may be that the local.meta statement must exist in the search app, not other apps, because it is describing a resource which exists in the search app.

0 Karma

Splunk Employee
Splunk Employee

Two things that you might try: make sure that the "test" role is inheriting the "user" role, not just copying its capabilities. And make sure that the "test" role and "test" user default to the app in question in their definitions.

0 Karma

Splunk Employee
Splunk Employee

Hm, I was able to get the process to work on my end.

Created a role "test" that inherited its properties from "user," (and which defaulted to the Search app) then added the edit_users capability to it.

Added a local.meta file with read : [ admin, test ] for [manager/accesscontrols].

Saved all my changes and checked--the user "test" could add users. Curious.

0 Karma

Influencer

Hmm, can't seem to get this to work on my test system, I'm creating a new role "test" and applying it to a user "test".

The role has "user" capabilities plus the role and user capabilities mentioned above. And I changed the app's "local.meta" file as stated, and restarted but it's not working.

?! :s

I have tried this at different levels and with use of the "*" (asterisk) and still no luck.

0 Karma