Security

What is the minimum capability for User to delete a native user

harshal_chakran
Builder

Hi all,
I have created a user which can delete splunk's native user using Rest API.

However, I want to provide the minimal capability to perform such action.

Currently the minimum roles I am able to provide is :

admin_all_objects
change_authentication
dispatch_rest_to_indexers
edit_roles
edit_user
rest_properties_get
rest_properties_set
schedule_rtsearch

If I add role- 'power' as inheritance, it performs the user removal action.
But I don't want to add 'power' as it also comes with other extra capabilities.

Please help...
Thanks in advance

0 Karma

lmethwani_splun
Splunk Employee
Splunk Employee

Hi Harshal,

The edit_user capability will have the ability to delete the user. You have already granted the capability so no need to add power role. You can control the access via grantable roles in authorize.conf

For example:
[role_test]
admin_all_objects = enabled
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
dispatch_rest_to_indexers = enabled
edit_roles = enabled
edit_user = enabled
grantableRoles = test;admin;power
rest_apps_view = enabled
rest_properties_get = enabled
rest_properties_set = enabled
srchMaxTime = 8640000

The user with test role will let me delete the user with test, admin and power role.
You can go through splunk doc for further details: https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Rolesandcapabilities

Thanks,
Lavina

0 Karma
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...