Re: What is the minimum capability for User to del...

harshal_chakran · ‎07-22-2019

Hi all,
I have created a user which can delete splunk's native user using Rest API.

However, I want to provide the minimal capability to perform such action.

Currently the minimum roles I am able to provide is :

admin_all_objects
change_authentication
dispatch_rest_to_indexers
edit_roles
edit_user
rest_properties_get
rest_properties_set
schedule_rtsearch

If I add role- 'power' as inheritance, it performs the user removal action.
But I don't want to add 'power' as it also comes with other extra capabilities.

Please help...
Thanks in advance

lmethwani_splun · ‎08-27-2019

Hi Harshal,

The edit_user capability will have the ability to delete the user. You have already granted the capability so no need to add power role. You can control the access via grantable roles in authorize.conf

For example:
[role_test]
admin_all_objects = enabled
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
dispatch_rest_to_indexers = enabled
edit_roles = enabled
edit_user = enabled
grantableRoles = test;admin;power
rest_apps_view = enabled
rest_properties_get = enabled
rest_properties_set = enabled
srchMaxTime = 8640000

The user with test role will let me delete the user with test, admin and power role.
You can go through splunk doc for further details: https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Rolesandcapabilities

Thanks,
Lavina

What is the minimum capability for User to delete a native user

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms