Security

What capabilities are needed for a non-admin user to update Server Classes and Clients in Settings -> Forwarder Management

Motivator

We've got a special role for non-admin security team members and I'd like some of them to be able to use Forwarder Management (in the Settings menu) to add new clients to a Server Class. I can't figure out what the required Capabilities are that need to be added to their role.

0 Karma

Communicator

I personally never gave that capability to anyone. But you could try editdeploymentclient, editdeploymentserver, listdeploymentserver capabilities.

0 Karma

Motivator

I downvoted this post because not working fully as it should.

0 Karma

Motivator

With the three I mentioned above, he was able to add systems to the whitelist of clients in a Server Class, and he was able to create a new Server Class. However, he was not able to add an application to the new Server Class. I added back in the editdeploymentclient but this made no difference. It throws the following error when you try to save after editing settings and a similar one when trying to add an app:

User 'cinders' with roles { cinders, user, user_oit_security } cannot write: /nobody/system/serverclass/serverClass:OIT_SC_winevent_index_ADFS:app:OIT_DA_winevent_index_ADFS/restartSplunkWeb { read : [ * ], write : [admin ] }, removable: no
0 Karma

Path Finder

I have the same issue. It looks like the "editdeploymentserver" capability should confer this permission, but it doesn't. It looks like this could be worked-around by editing some metadata (which one, I wonder, $SPLUNK_HOME/etc/system/metadata/local.meta?), and adding the proper role at some level. But I don't want to mess with that. I want the capability to work the way you'd expect.

0 Karma

Motivator

In order to edit the Server Classes you need to have editdeploymentserver turned on. This allows creating/editing Server Classes, adding an app to the Server Class, and editing the client list. I did not have to enable editdeploymentclient for these functions, which is what I want this person to do be able to do, so I have left that off. I also enabled listdeploymentclient and listdeploymentserver.

0 Karma