Security

What capabilities does a REST API only user need?

ckurtz
Path Finder

I want to create a user that can ONLY access Splunk via the REST API and run (potentially only saved) searches.

What are the minimum capabilities needed to login via REST and access saved searches? I know I need rest_properties_get but what is the bare minimum needed to login and search.

leomeyerovich
Explorer

It took us awhile for Graphistry - search and rest_properties_get. You should verify, but that appears to preclude web login as desired as well.

Jason
Motivator

It does not seem possible at the moment. (Tested on 6.3.3.) A new user, with only a role with no inheritance and no capabilities, can still log into the UI of Splunk.

What you can do is go through the permissions of each and every app (Apps > Manage Apps > "Permissions" on every one "visible") to disable. This won't disable logons to the UI but will render the UI effectively useless.

(Keep in mind that any field extractions and knowledge objects in a visible app will then not be available for you - so keep all knowledge objects in separate, non "visible" Technology Add-ons if you want your API-only user to be able to use them!)

0 Karma

tmillay
Engager

In my environment the user role already had the following rest-related capabilities:
rest_apps_view
rest_properties_get
rest_properties_set

It turned out that this was not enough to allow a user to authenticate, I created a new role and found that just by adding a single capability the user was able to authenticate and use the API:
rest_apps_management

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...