Security

Splunk Alert and Dashboard Creation Permissions

anandhalagarasa
Path Finder

Hi Team,

We have deployed Splunk Cloud in our organisation. And the access for the users have been provided via SAML authentication. We have different application team and hence we have created different application roles and provided user level acccess to search the data with the respective index in Splunk Cloud.

Now a particular user has been assigned to X user level role and he can able to access Splunk Cloud and able to search the data index=x and he can able to create the alerts and dashboards as well. But the alert or dashboard which is getting created saves as Private and the user alone can able to view and access the Alerts & Dashboards whereas others with the same role couldn't able to view the same and also they couldn't able to share the data Globally since they dont have access. So where and how should we need to change the access level so that the user in a particular roles assigned needs to modify and share the alerts and dashboards globally.

So kindly help to check and update on the same.

Tags (1)
0 Karma

woodcock
Esteemed Legend

We usually give up on the default roles or at least strip out all access to index values. Then we create new roles based on index values ONLY (No other capabilities added). This way, when ANY user of ANY time needs access to any particular index, we simply add the role named for that index to his user. Also, don't forget that when users create knowledge objects, they usually start out with private scope and only that user can see/use them. Remind users that when they need to share, the user must bump up the permissions to at least app level.

0 Karma

aberkow
Builder

Perhaps I'm misinterpreting the question, but are you just asking how to edit permissions on knowledge objects so everyone has access to it? The person who created the object (alert/dashboard) can edit it using the edit functionality in the top right corner of the dashboard/alert to change the permissions to app and by role.

Additionally, if the person isn't with the company or can't do this themselves, an admin can go into Settings (top right corner of the Splunk UI) -> All Configurations (bottom of the "Knowledge" list in the dropdown) -> Search for the name of the object -> change the permissions to be not private under the "Sharing" section.

Did this answer your question? Sorry if I misunderstood!

0 Karma

anandhalagarasa
Path Finder

Can anyone help on my query

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...