What capabilities I need to give to particular user on master node in order to view monitoring console?
Right now I have given admin_all_objects capability.
But when I am checking health check it is showing instances not reachable.
And if I am logging in with admin credentials all instances are showing as reachable.
Currently I have given user and power role to user along with admin_all_objects capability.
Thanks in advance.
You need to provide in total three capabilities to view the monitoring console for user privileges.
The dispatch_rest_to_indexers capability will show the resource usage of each instance and edit_dist_peer will fix the instance unreachable error.
Hi swmishra [Splunk],
Thanks for your feedback, but I think the advice given with this answer is not correct and dangerous. Granting users
admin_all_objects will make them an admin of your instance, and is not needed just to view the monitoring console nor recommended security wise.
Take a look at my posted
[role_mc-users] config it contains all capabilities needed to grant secure access for users to the monitoring console.
Hope this helps ...
There is no need to grant
admin_all_objects to a user to access MC; you can create a new role with these limited capabilities:
[role_mc-users] cumulativeRTSrchJobsQuota = 0 cumulativeSrchJobsQuota = 0 dispatch_rest_to_indexers = enabled importRoles = power;user license_tab = enabled list_deployment_client = enabled list_deployment_server = enabled list_forwarders = enabled list_health = enabled list_httpauths = enabled list_indexer_cluster = enabled list_indexerdiscovery = enabled list_search_head_clustering = enabled list_search_scheduler = enabled list_settings = enabled srchIndexesAllowed = _* srchIndexesDefault = _* srchMaxTime = 0
and allow this role
read access to the Monitoring Console app. This will do the task.
Hope this helps ...
@MuS - We have created a non-admin role with all the above capabilities but a user in the role is unable to launch the health check tab. It does nothing and is stuck at "Loading...". An admin can pull up the page immediately.
@swmishra_splunk I do understand that admin_all_objects can fix this problem but the whole point is assigning only appropriate permissions so as to allow a non-admin execute health checks.
Can you please advise if some other capability can allow us to view the health check page?
the question here was
... to view ... the MC and that's what this role provides, capabilities to view the MC. I never tested nor intended to have this role run a health check to be honest.
Ah ok @MuS . With some testing I was able to figure out the answer to my question.
In addition to edit_dist_peer, edit_health does the trick. I.e your mc users capability + the above two edit roles is what I was looking for. Hope it helps someone attempting to set something up similar.
see at http://docs.splunk.com/Documentation/Splunk/7.0.0/DMC/Deploymentsetupsteps .
the problem isn't user capabilities, you have to configure your DMC to see all Splunk systems data, in other words "Add all instances as search peers".