Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What capabilities does a REST API only user need?

ckurtz
Path Finder
‎02-25-2015 02:34 PM

I want to create a user that can ONLY access Splunk via the REST API and run (potentially only saved) searches.

What are the minimum capabilities needed to login via REST and access saved searches? I know I need rest_properties_get but what is the bare minimum needed to login and search.

Reply

damode1
Path Finder
a month ago

schedule_search is all you need from my experience

0 Karma
Reply

verbal_666
Contributor
‎02-21-2023 10:34 PM

It's an old question, but i came though the same issue.
You have to enable "dispatch_rest_to_indexers" for the Role to query also Indexers rest api (like Storage or any other api inside Indexers side).

0 Karma
Reply

leomeyerovich
Explorer
‎08-07-2018 07:10 PM

It took us awhile for Graphistry - search and rest_properties_get. You should verify, but that appears to preclude web login as desired as well.

Reply

Jason
Motivator
‎04-08-2016 02:37 AM

It does not seem possible at the moment. (Tested on 6.3.3.) A new user, with only a role with no inheritance and no capabilities, can still log into the UI of Splunk.

What you can do is go through the permissions of each and every app (Apps > Manage Apps > "Permissions" on every one "visible") to disable. This won't disable logons to the UI but will render the UI effectively useless.

(Keep in mind that any field extractions and knowledge objects in a visible app will then not be available for you - so keep all knowledge objects in separate, non "visible" Technology Add-ons if you want your API-only user to be able to use them!)

0 Karma
Reply

tmillay
Engager
‎09-21-2015 11:17 AM

In my environment the user role already had the following rest-related capabilities:
rest_apps_view
rest_properties_get
rest_properties_set

It turned out that this was not enough to allow a user to authenticate, I created a new role and found that just by adding a single capability the user was able to authenticate and use the API:
rest_apps_management

Reply
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...