We are administering Splunk for a number of groups. One of these groups is more splunk-sophisticated and has users that are interested in using CLI commands to work directly with their splunk artifacts -- in addition to using the Web UI.
The question is how do we restrict them to using CLI just on their artifacts and not on other groups indexes, forwarders etc.
As far as permissions via
roles, CLI vs GUI makes no difference. Just make sure that you have the proper restrictions setup in the users' roles:
In Linux it is easy enough to give users access to their own application folders/files, however, When a knowledge object is created in the GUI the ownership of that file is Splunk or Root and that user cannot modify it at the CLI. Am I missing something fundamental here?
Does this not make sense to you? That is exactly how I would have designed it: the user that is running the Splunk instance (which is usually either
root) is the one that will own all of the KOs from a host-OS perspective. The GUI will allow any user who is logged in to edit his own stuff from the GUI. You can do the SAME THING with the Splunk CLI but you have to use the
splunk CLI command to do it (i.e. $SPLUNK_HOME/bin/splunk add ...). As you have found, you cannot use the host OS CLI to do it by using a regular editor.