Security

Splunk setting roles

standias
Explorer

Hi,

I want to set role in Splunk such that user is restricted to only searching. NO admin privileges..

Manager>Roles

Role:

Capabilities:

   search

Index:

   muncher

Is only setting search enough under capabilities to restrict user to only searching for index muncher? Also if i want user to be able to create report/schedule search... will this capability allow that or I have to set additional capabilities.

get_typeahead? what exactly is this.. Does it autocomplete previously entered queries?

Tags (1)
0 Karma
1 Solution

Rob
Splunk Employee
Splunk Employee

You may want to include the following two capabilities for the user as well...

rest_properties_get

get_metadata

The first will allow the user to login without getting an Authorization error (assuming you are using the default Splunk authentication system) and the second will show the data in the search summary page.

schedule_search is the capability you will want to add for users to schedule searches. The reporting functionality is already enabled with the search capability.

get_typeahead within Splunk returns typeahead on a specified prefix. This works as the auto-complete on previous searches and could potentially reveal sensitive information.

For more information on role capabilities, you may want to refer to the admin documentation located at http://www.splunk.com/base/Documentation/4.1.5/Admin/Addusersandassignroles#List_of_available_capabi...

View solution in original post

Rob
Splunk Employee
Splunk Employee

You may want to include the following two capabilities for the user as well...

rest_properties_get

get_metadata

The first will allow the user to login without getting an Authorization error (assuming you are using the default Splunk authentication system) and the second will show the data in the search summary page.

schedule_search is the capability you will want to add for users to schedule searches. The reporting functionality is already enabled with the search capability.

get_typeahead within Splunk returns typeahead on a specified prefix. This works as the auto-complete on previous searches and could potentially reveal sensitive information.

For more information on role capabilities, you may want to refer to the admin documentation located at http://www.splunk.com/base/Documentation/4.1.5/Admin/Addusersandassignroles#List_of_available_capabi...

sh1pit76
Explorer

I know this post is a bit old, but I'm curious what you meant when you said get_typeahead "could potentially reveal sensitive information." Can you give me an example when this would expose sensitive information? I was under the impression that get_typeahead works by comparing your search syntax to those you've entered previously. If this is true, wouldn't get_typeahead only reveal already known information to the user?

Thanks
Jason

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...