Security

What capabilities does a REST API only user need?

ckurtz
Path Finder

I want to create a user that can ONLY access Splunk via the REST API and run (potentially only saved) searches.

What are the minimum capabilities needed to login via REST and access saved searches? I know I need rest_properties_get but what is the bare minimum needed to login and search.

damode1
Path Finder

schedule_search is all you need from my experience

0 Karma

verbal_666
Builder

It's an old question, but i came though the same issue.
You have to enable "dispatch_rest_to_indexers" for the Role to query also Indexers rest api (like Storage or any other api inside Indexers side).

0 Karma

leomeyerovich
Explorer

It took us awhile for Graphistry - search and rest_properties_get. You should verify, but that appears to preclude web login as desired as well.

Jason
Motivator

It does not seem possible at the moment. (Tested on 6.3.3.) A new user, with only a role with no inheritance and no capabilities, can still log into the UI of Splunk.

What you can do is go through the permissions of each and every app (Apps > Manage Apps > "Permissions" on every one "visible") to disable. This won't disable logons to the UI but will render the UI effectively useless.

(Keep in mind that any field extractions and knowledge objects in a visible app will then not be available for you - so keep all knowledge objects in separate, non "visible" Technology Add-ons if you want your API-only user to be able to use them!)

0 Karma

tmillay
Engager

In my environment the user role already had the following rest-related capabilities:
rest_apps_view
rest_properties_get
rest_properties_set

It turned out that this was not enough to allow a user to authenticate, I created a new role and found that just by adding a single capability the user was able to authenticate and use the API:
rest_apps_management

Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...