Security

What capabilities does a REST API only user need?

ckurtz
Path Finder

I want to create a user that can ONLY access Splunk via the REST API and run (potentially only saved) searches.

What are the minimum capabilities needed to login via REST and access saved searches? I know I need rest_properties_get but what is the bare minimum needed to login and search.

leomeyerovich
Explorer

It took us awhile for Graphistry - search and rest_properties_get. You should verify, but that appears to preclude web login as desired as well.

Jason
Motivator

It does not seem possible at the moment. (Tested on 6.3.3.) A new user, with only a role with no inheritance and no capabilities, can still log into the UI of Splunk.

What you can do is go through the permissions of each and every app (Apps > Manage Apps > "Permissions" on every one "visible") to disable. This won't disable logons to the UI but will render the UI effectively useless.

(Keep in mind that any field extractions and knowledge objects in a visible app will then not be available for you - so keep all knowledge objects in separate, non "visible" Technology Add-ons if you want your API-only user to be able to use them!)

0 Karma

tmillay
Engager

In my environment the user role already had the following rest-related capabilities:
rest_apps_view
rest_properties_get
rest_properties_set

It turned out that this was not enough to allow a user to authenticate, I created a new role and found that just by adding a single capability the user was able to authenticate and use the API:
rest_apps_management

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!