Security

Splunk setting roles

standias
Explorer

Hi,

I want to set role in Splunk such that user is restricted to only searching. NO admin privileges..

Manager>Roles

Role:

Capabilities:

   search

Index:

   muncher

Is only setting search enough under capabilities to restrict user to only searching for index muncher? Also if i want user to be able to create report/schedule search... will this capability allow that or I have to set additional capabilities.

get_typeahead? what exactly is this.. Does it autocomplete previously entered queries?

Tags (1)
0 Karma
1 Solution

Rob
Splunk Employee
Splunk Employee

You may want to include the following two capabilities for the user as well...

rest_properties_get

get_metadata

The first will allow the user to login without getting an Authorization error (assuming you are using the default Splunk authentication system) and the second will show the data in the search summary page.

schedule_search is the capability you will want to add for users to schedule searches. The reporting functionality is already enabled with the search capability.

get_typeahead within Splunk returns typeahead on a specified prefix. This works as the auto-complete on previous searches and could potentially reveal sensitive information.

For more information on role capabilities, you may want to refer to the admin documentation located at http://www.splunk.com/base/Documentation/4.1.5/Admin/Addusersandassignroles#List_of_available_capabi...

View solution in original post

Rob
Splunk Employee
Splunk Employee

You may want to include the following two capabilities for the user as well...

rest_properties_get

get_metadata

The first will allow the user to login without getting an Authorization error (assuming you are using the default Splunk authentication system) and the second will show the data in the search summary page.

schedule_search is the capability you will want to add for users to schedule searches. The reporting functionality is already enabled with the search capability.

get_typeahead within Splunk returns typeahead on a specified prefix. This works as the auto-complete on previous searches and could potentially reveal sensitive information.

For more information on role capabilities, you may want to refer to the admin documentation located at http://www.splunk.com/base/Documentation/4.1.5/Admin/Addusersandassignroles#List_of_available_capabi...

sh1pit76
Explorer

I know this post is a bit old, but I'm curious what you meant when you said get_typeahead "could potentially reveal sensitive information." Can you give me an example when this would expose sensitive information? I was under the impression that get_typeahead works by comparing your search syntax to those you've entered previously. If this is true, wouldn't get_typeahead only reveal already known information to the user?

Thanks
Jason

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...