Security

View only User

florianhh
Explorer

Hello Splunkys,

i read this post Link on the Splunk Forum. 

I created a App and it only contains 1 dashboard. I create a user that has only access to this app.

But you can't disable the users permission to view the search app.

If you do that you get a 500 error after logging in. 

If you dont do it and allow view for the search app then it works but then the user is able to search more.

Also Basically every think in Splunk that is clickable at that point will prompt you with a 500 internal server error page. Thats not cool.

We need a Role for Helpdesk personal that shows something but we do not want that these persons can lookup some spl and spy on employee's.

Labels (1)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @florianhh 

One way to control is having searchFilter and allow only indexes that you want this person to see at app level.

Having said that that's the app scope, if the same user having other roles assigned which has wider access then you can not control it then you should reach to your Splunk admin.

#authorize.conf should be deployed to Search head
## Same can be accomplished in UI
[role_ninja]
importRoles = user
srchFilter = host=foo
srchIndexesAllowed = index1

---

An upvote would be appreciated if it helps!

View solution in original post

venkatasri
SplunkTrust
SplunkTrust

Hi @florianhh 

One way to control is having searchFilter and allow only indexes that you want this person to see at app level.

Having said that that's the app scope, if the same user having other roles assigned which has wider access then you can not control it then you should reach to your Splunk admin.

#authorize.conf should be deployed to Search head
## Same can be accomplished in UI
[role_ninja]
importRoles = user
srchFilter = host=foo
srchIndexesAllowed = index1

---

An upvote would be appreciated if it helps!

florianhh
Explorer

Thank you !

I've tried that from the WebUI but it did not work.

I now did it trough  the .conf file as you suggested and now it works.

Oddly now the webUI Shows (EventCode::4740)  as filter.  Why is that odd format with :: ?

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@florianhh 

:: is used for indexed fields preferred by Splunk. Otherwise EventCode=1234 OR EventCode::1234 both are same. If EventCode is not an indexed field with :: you won't get any results. It's always better to search in UI first and add it to search filter.

--

An upvote would be appreciated if it helps!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...