Security

What is the minimum capability for User to delete a native user

Hi all,
I have created a user which can delete splunk's native user using Rest API.

However, I want to provide the minimal capability to perform such action.

Currently the minimum roles I am able to provide is :

admin_all_objects
change_authentication
dispatch_rest_to_indexers
edit_roles
edit_user
rest_properties_get
rest_properties_set
schedule_rtsearch

If I add role- 'power' as inheritance, it performs the user removal action.
But I don't want to add 'power' as it also comes with other extra capabilities.

Please help...
Thanks in advance

0 Karma

Splunk Employee
Splunk Employee

Hi Harshal,

The edit_user capability will have the ability to delete the user. You have already granted the capability so no need to add power role. You can control the access via grantable roles in authorize.conf

For example:
[roletest]
admin
allobjects = enabled
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
dispatch
resttoindexers = enabled
editroles = enabled
edit
user = enabled
grantableRoles = test;admin;power
restappsview = enabled
restpropertiesget = enabled
restpropertiesset = enabled
srchMaxTime = 8640000

The user with test role will let me delete the user with test, admin and power role.
You can go through splunk doc for further details: https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Rolesandcapabilities

Thanks,
Lavina

0 Karma