Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

View only User

florianhh
Explorer
‎06-14-2021 07:21 AM

Hello Splunkys,

i read this post Link on the Splunk Forum. 

I created a App and it only contains 1 dashboard. I create a user that has only access to this app.

But you can't disable the users permission to view the search app.

If you do that you get a 500 error after logging in. 

If you dont do it and allow view for the search app then it works but then the user is able to search more.

Also Basically every think in Splunk that is clickable at that point will prompt you with a 500 internal server error page. Thats not cool.

We need a Role for Helpdesk personal that shows something but we do not want that these persons can lookup some spl and spy on employee's.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 10:13 PM

Hi @florianhh 

One way to control is having searchFilter and allow only indexes that you want this person to see at app level.

Having said that that's the app scope, if the same user having other roles assigned which has wider access then you can not control it then you should reach to your Splunk admin.

#authorize.conf should be deployed to Search head
## Same can be accomplished in UI
[role_ninja]
importRoles = user
srchFilter = host=foo
srchIndexesAllowed = index1

---

An upvote would be appreciated if it helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 10:13 PM

Hi @florianhh 

One way to control is having searchFilter and allow only indexes that you want this person to see at app level.

Having said that that's the app scope, if the same user having other roles assigned which has wider access then you can not control it then you should reach to your Splunk admin.

#authorize.conf should be deployed to Search head
## Same can be accomplished in UI
[role_ninja]
importRoles = user
srchFilter = host=foo
srchIndexesAllowed = index1

---

An upvote would be appreciated if it helps!

Reply
Solved! Jump to solution

florianhh
Explorer
‎06-15-2021 12:32 AM

Thank you !

I've tried that from the WebUI but it did not work.

I now did it trough  the .conf file as you suggested and now it works.

Oddly now the webUI Shows (EventCode::4740)  as filter.  Why is that odd format with :: ?

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-15-2021 05:06 PM

@florianhh 

:: is used for indexed fields preferred by Splunk. Otherwise EventCode=1234 OR EventCode::1234 both are same. If EventCode is not an indexed field with :: you won't get any results. It's always better to search in UI first and add it to search filter.

--

An upvote would be appreciated if it helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...