Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

View only User

florianhh
Explorer
‎06-14-2021 07:21 AM

Hello Splunkys,

i read this post Link on the Splunk Forum. 

I created a App and it only contains 1 dashboard. I create a user that has only access to this app.

But you can't disable the users permission to view the search app.

If you do that you get a 500 error after logging in. 

If you dont do it and allow view for the search app then it works but then the user is able to search more.

Also Basically every think in Splunk that is clickable at that point will prompt you with a 500 internal server error page. Thats not cool.

We need a Role for Helpdesk personal that shows something but we do not want that these persons can lookup some spl and spy on employee's.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 10:13 PM

Hi @florianhh 

One way to control is having searchFilter and allow only indexes that you want this person to see at app level.

Having said that that's the app scope, if the same user having other roles assigned which has wider access then you can not control it then you should reach to your Splunk admin.

#authorize.conf should be deployed to Search head
## Same can be accomplished in UI
[role_ninja]
importRoles = user
srchFilter = host=foo
srchIndexesAllowed = index1

---

An upvote would be appreciated if it helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 10:13 PM

Hi @florianhh 

One way to control is having searchFilter and allow only indexes that you want this person to see at app level.

Having said that that's the app scope, if the same user having other roles assigned which has wider access then you can not control it then you should reach to your Splunk admin.

#authorize.conf should be deployed to Search head
## Same can be accomplished in UI
[role_ninja]
importRoles = user
srchFilter = host=foo
srchIndexesAllowed = index1

---

An upvote would be appreciated if it helps!

Reply
Solved! Jump to solution

florianhh
Explorer
‎06-15-2021 12:32 AM

Thank you !

I've tried that from the WebUI but it did not work.

I now did it trough  the .conf file as you suggested and now it works.

Oddly now the webUI Shows (EventCode::4740)  as filter.  Why is that odd format with :: ?

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-15-2021 05:06 PM

@florianhh 

:: is used for indexed fields preferred by Splunk. Otherwise EventCode=1234 OR EventCode::1234 both are same. If EventCode is not an indexed field with :: you won't get any results. It's always better to search in UI first and add it to search filter.

--

An upvote would be appreciated if it helps!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...