Security

View only User

florianhh
Explorer

Hello Splunkys,

i read this post Link on the Splunk Forum. 

I created a App and it only contains 1 dashboard. I create a user that has only access to this app.

But you can't disable the users permission to view the search app.

If you do that you get a 500 error after logging in. 

If you dont do it and allow view for the search app then it works but then the user is able to search more.

Also Basically every think in Splunk that is clickable at that point will prompt you with a 500 internal server error page. Thats not cool.

We need a Role for Helpdesk personal that shows something but we do not want that these persons can lookup some spl and spy on employee's.

Labels (1)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @florianhh 

One way to control is having searchFilter and allow only indexes that you want this person to see at app level.

Having said that that's the app scope, if the same user having other roles assigned which has wider access then you can not control it then you should reach to your Splunk admin.

#authorize.conf should be deployed to Search head
## Same can be accomplished in UI
[role_ninja]
importRoles = user
srchFilter = host=foo
srchIndexesAllowed = index1

---

An upvote would be appreciated if it helps!

View solution in original post

venkatasri
SplunkTrust
SplunkTrust

Hi @florianhh 

One way to control is having searchFilter and allow only indexes that you want this person to see at app level.

Having said that that's the app scope, if the same user having other roles assigned which has wider access then you can not control it then you should reach to your Splunk admin.

#authorize.conf should be deployed to Search head
## Same can be accomplished in UI
[role_ninja]
importRoles = user
srchFilter = host=foo
srchIndexesAllowed = index1

---

An upvote would be appreciated if it helps!

florianhh
Explorer

Thank you !

I've tried that from the WebUI but it did not work.

I now did it trough  the .conf file as you suggested and now it works.

Oddly now the webUI Shows (EventCode::4740)  as filter.  Why is that odd format with :: ?

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@florianhh 

:: is used for indexed fields preferred by Splunk. Otherwise EventCode=1234 OR EventCode::1234 both are same. If EventCode is not an indexed field with :: you won't get any results. It's always better to search in UI first and add it to search filter.

--

An upvote would be appreciated if it helps!

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...